xref: /openbmc/linux/security/selinux/hooks.c (revision 52fb57e7)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>		/* for local_port_range[] */
54 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>	/* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>		/* for Unix socket types */
70 #include <net/af_unix.h>	/* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86 
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96 
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102 
103 static int __init enforcing_setup(char *str)
104 {
105 	unsigned long enforcing;
106 	if (!kstrtoul(str, 0, &enforcing))
107 		selinux_enforcing = enforcing ? 1 : 0;
108 	return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112 
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 
116 static int __init selinux_enabled_setup(char *str)
117 {
118 	unsigned long enabled;
119 	if (!kstrtoul(str, 0, &enabled))
120 		selinux_enabled = enabled ? 1 : 0;
121 	return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127 
128 static struct kmem_cache *sel_inode_cache;
129 
130 /**
131  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132  *
133  * Description:
134  * This function checks the SECMARK reference counter to see if any SECMARK
135  * targets are currently configured, if the reference counter is greater than
136  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
137  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
138  * policy capability is enabled, SECMARK is always considered enabled.
139  *
140  */
141 static int selinux_secmark_enabled(void)
142 {
143 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
144 }
145 
146 /**
147  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
148  *
149  * Description:
150  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
151  * (1) if any are enabled or false (0) if neither are enabled.  If the
152  * always_check_network policy capability is enabled, peer labeling
153  * is always considered enabled.
154  *
155  */
156 static int selinux_peerlbl_enabled(void)
157 {
158 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
159 }
160 
161 static int selinux_netcache_avc_callback(u32 event)
162 {
163 	if (event == AVC_CALLBACK_RESET) {
164 		sel_netif_flush();
165 		sel_netnode_flush();
166 		sel_netport_flush();
167 		synchronize_net();
168 	}
169 	return 0;
170 }
171 
172 /*
173  * initialise the security for the init task
174  */
175 static void cred_init_security(void)
176 {
177 	struct cred *cred = (struct cred *) current->real_cred;
178 	struct task_security_struct *tsec;
179 
180 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
181 	if (!tsec)
182 		panic("SELinux:  Failed to initialize initial task.\n");
183 
184 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
185 	cred->security = tsec;
186 }
187 
188 /*
189  * get the security ID of a set of credentials
190  */
191 static inline u32 cred_sid(const struct cred *cred)
192 {
193 	const struct task_security_struct *tsec;
194 
195 	tsec = cred->security;
196 	return tsec->sid;
197 }
198 
199 /*
200  * get the objective security ID of a task
201  */
202 static inline u32 task_sid(const struct task_struct *task)
203 {
204 	u32 sid;
205 
206 	rcu_read_lock();
207 	sid = cred_sid(__task_cred(task));
208 	rcu_read_unlock();
209 	return sid;
210 }
211 
212 /*
213  * get the subjective security ID of the current task
214  */
215 static inline u32 current_sid(void)
216 {
217 	const struct task_security_struct *tsec = current_security();
218 
219 	return tsec->sid;
220 }
221 
222 /* Allocate and free functions for each kind of security blob. */
223 
224 static int inode_alloc_security(struct inode *inode)
225 {
226 	struct inode_security_struct *isec;
227 	u32 sid = current_sid();
228 
229 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
230 	if (!isec)
231 		return -ENOMEM;
232 
233 	mutex_init(&isec->lock);
234 	INIT_LIST_HEAD(&isec->list);
235 	isec->inode = inode;
236 	isec->sid = SECINITSID_UNLABELED;
237 	isec->sclass = SECCLASS_FILE;
238 	isec->task_sid = sid;
239 	inode->i_security = isec;
240 
241 	return 0;
242 }
243 
244 static void inode_free_rcu(struct rcu_head *head)
245 {
246 	struct inode_security_struct *isec;
247 
248 	isec = container_of(head, struct inode_security_struct, rcu);
249 	kmem_cache_free(sel_inode_cache, isec);
250 }
251 
252 static void inode_free_security(struct inode *inode)
253 {
254 	struct inode_security_struct *isec = inode->i_security;
255 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
256 
257 	spin_lock(&sbsec->isec_lock);
258 	if (!list_empty(&isec->list))
259 		list_del_init(&isec->list);
260 	spin_unlock(&sbsec->isec_lock);
261 
262 	/*
263 	 * The inode may still be referenced in a path walk and
264 	 * a call to selinux_inode_permission() can be made
265 	 * after inode_free_security() is called. Ideally, the VFS
266 	 * wouldn't do this, but fixing that is a much harder
267 	 * job. For now, simply free the i_security via RCU, and
268 	 * leave the current inode->i_security pointer intact.
269 	 * The inode will be freed after the RCU grace period too.
270 	 */
271 	call_rcu(&isec->rcu, inode_free_rcu);
272 }
273 
274 static int file_alloc_security(struct file *file)
275 {
276 	struct file_security_struct *fsec;
277 	u32 sid = current_sid();
278 
279 	fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
280 	if (!fsec)
281 		return -ENOMEM;
282 
283 	fsec->sid = sid;
284 	fsec->fown_sid = sid;
285 	file->f_security = fsec;
286 
287 	return 0;
288 }
289 
290 static void file_free_security(struct file *file)
291 {
292 	struct file_security_struct *fsec = file->f_security;
293 	file->f_security = NULL;
294 	kfree(fsec);
295 }
296 
297 static int superblock_alloc_security(struct super_block *sb)
298 {
299 	struct superblock_security_struct *sbsec;
300 
301 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
302 	if (!sbsec)
303 		return -ENOMEM;
304 
305 	mutex_init(&sbsec->lock);
306 	INIT_LIST_HEAD(&sbsec->isec_head);
307 	spin_lock_init(&sbsec->isec_lock);
308 	sbsec->sb = sb;
309 	sbsec->sid = SECINITSID_UNLABELED;
310 	sbsec->def_sid = SECINITSID_FILE;
311 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
312 	sb->s_security = sbsec;
313 
314 	return 0;
315 }
316 
317 static void superblock_free_security(struct super_block *sb)
318 {
319 	struct superblock_security_struct *sbsec = sb->s_security;
320 	sb->s_security = NULL;
321 	kfree(sbsec);
322 }
323 
324 /* The file system's label must be initialized prior to use. */
325 
326 static const char *labeling_behaviors[7] = {
327 	"uses xattr",
328 	"uses transition SIDs",
329 	"uses task SIDs",
330 	"uses genfs_contexts",
331 	"not configured for labeling",
332 	"uses mountpoint labeling",
333 	"uses native labeling",
334 };
335 
336 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
337 
338 static inline int inode_doinit(struct inode *inode)
339 {
340 	return inode_doinit_with_dentry(inode, NULL);
341 }
342 
343 enum {
344 	Opt_error = -1,
345 	Opt_context = 1,
346 	Opt_fscontext = 2,
347 	Opt_defcontext = 3,
348 	Opt_rootcontext = 4,
349 	Opt_labelsupport = 5,
350 	Opt_nextmntopt = 6,
351 };
352 
353 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
354 
355 static const match_table_t tokens = {
356 	{Opt_context, CONTEXT_STR "%s"},
357 	{Opt_fscontext, FSCONTEXT_STR "%s"},
358 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
359 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
360 	{Opt_labelsupport, LABELSUPP_STR},
361 	{Opt_error, NULL},
362 };
363 
364 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
365 
366 static int may_context_mount_sb_relabel(u32 sid,
367 			struct superblock_security_struct *sbsec,
368 			const struct cred *cred)
369 {
370 	const struct task_security_struct *tsec = cred->security;
371 	int rc;
372 
373 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 			  FILESYSTEM__RELABELFROM, NULL);
375 	if (rc)
376 		return rc;
377 
378 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
379 			  FILESYSTEM__RELABELTO, NULL);
380 	return rc;
381 }
382 
383 static int may_context_mount_inode_relabel(u32 sid,
384 			struct superblock_security_struct *sbsec,
385 			const struct cred *cred)
386 {
387 	const struct task_security_struct *tsec = cred->security;
388 	int rc;
389 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
390 			  FILESYSTEM__RELABELFROM, NULL);
391 	if (rc)
392 		return rc;
393 
394 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
395 			  FILESYSTEM__ASSOCIATE, NULL);
396 	return rc;
397 }
398 
399 static int selinux_is_sblabel_mnt(struct super_block *sb)
400 {
401 	struct superblock_security_struct *sbsec = sb->s_security;
402 
403 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
404 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
405 		sbsec->behavior == SECURITY_FS_USE_TASK ||
406 		/* Special handling. Genfs but also in-core setxattr handler */
407 		!strcmp(sb->s_type->name, "sysfs") ||
408 		!strcmp(sb->s_type->name, "pstore") ||
409 		!strcmp(sb->s_type->name, "debugfs") ||
410 		!strcmp(sb->s_type->name, "rootfs");
411 }
412 
413 static int sb_finish_set_opts(struct super_block *sb)
414 {
415 	struct superblock_security_struct *sbsec = sb->s_security;
416 	struct dentry *root = sb->s_root;
417 	struct inode *root_inode = d_backing_inode(root);
418 	int rc = 0;
419 
420 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
421 		/* Make sure that the xattr handler exists and that no
422 		   error other than -ENODATA is returned by getxattr on
423 		   the root directory.  -ENODATA is ok, as this may be
424 		   the first boot of the SELinux kernel before we have
425 		   assigned xattr values to the filesystem. */
426 		if (!root_inode->i_op->getxattr) {
427 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
428 			       "xattr support\n", sb->s_id, sb->s_type->name);
429 			rc = -EOPNOTSUPP;
430 			goto out;
431 		}
432 		rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
433 		if (rc < 0 && rc != -ENODATA) {
434 			if (rc == -EOPNOTSUPP)
435 				printk(KERN_WARNING "SELinux: (dev %s, type "
436 				       "%s) has no security xattr handler\n",
437 				       sb->s_id, sb->s_type->name);
438 			else
439 				printk(KERN_WARNING "SELinux: (dev %s, type "
440 				       "%s) getxattr errno %d\n", sb->s_id,
441 				       sb->s_type->name, -rc);
442 			goto out;
443 		}
444 	}
445 
446 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
447 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
448 		       sb->s_id, sb->s_type->name);
449 
450 	sbsec->flags |= SE_SBINITIALIZED;
451 	if (selinux_is_sblabel_mnt(sb))
452 		sbsec->flags |= SBLABEL_MNT;
453 
454 	/* Initialize the root inode. */
455 	rc = inode_doinit_with_dentry(root_inode, root);
456 
457 	/* Initialize any other inodes associated with the superblock, e.g.
458 	   inodes created prior to initial policy load or inodes created
459 	   during get_sb by a pseudo filesystem that directly
460 	   populates itself. */
461 	spin_lock(&sbsec->isec_lock);
462 next_inode:
463 	if (!list_empty(&sbsec->isec_head)) {
464 		struct inode_security_struct *isec =
465 				list_entry(sbsec->isec_head.next,
466 					   struct inode_security_struct, list);
467 		struct inode *inode = isec->inode;
468 		list_del_init(&isec->list);
469 		spin_unlock(&sbsec->isec_lock);
470 		inode = igrab(inode);
471 		if (inode) {
472 			if (!IS_PRIVATE(inode))
473 				inode_doinit(inode);
474 			iput(inode);
475 		}
476 		spin_lock(&sbsec->isec_lock);
477 		goto next_inode;
478 	}
479 	spin_unlock(&sbsec->isec_lock);
480 out:
481 	return rc;
482 }
483 
484 /*
485  * This function should allow an FS to ask what it's mount security
486  * options were so it can use those later for submounts, displaying
487  * mount options, or whatever.
488  */
489 static int selinux_get_mnt_opts(const struct super_block *sb,
490 				struct security_mnt_opts *opts)
491 {
492 	int rc = 0, i;
493 	struct superblock_security_struct *sbsec = sb->s_security;
494 	char *context = NULL;
495 	u32 len;
496 	char tmp;
497 
498 	security_init_mnt_opts(opts);
499 
500 	if (!(sbsec->flags & SE_SBINITIALIZED))
501 		return -EINVAL;
502 
503 	if (!ss_initialized)
504 		return -EINVAL;
505 
506 	/* make sure we always check enough bits to cover the mask */
507 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
508 
509 	tmp = sbsec->flags & SE_MNTMASK;
510 	/* count the number of mount options for this sb */
511 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
512 		if (tmp & 0x01)
513 			opts->num_mnt_opts++;
514 		tmp >>= 1;
515 	}
516 	/* Check if the Label support flag is set */
517 	if (sbsec->flags & SBLABEL_MNT)
518 		opts->num_mnt_opts++;
519 
520 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
521 	if (!opts->mnt_opts) {
522 		rc = -ENOMEM;
523 		goto out_free;
524 	}
525 
526 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
527 	if (!opts->mnt_opts_flags) {
528 		rc = -ENOMEM;
529 		goto out_free;
530 	}
531 
532 	i = 0;
533 	if (sbsec->flags & FSCONTEXT_MNT) {
534 		rc = security_sid_to_context(sbsec->sid, &context, &len);
535 		if (rc)
536 			goto out_free;
537 		opts->mnt_opts[i] = context;
538 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
539 	}
540 	if (sbsec->flags & CONTEXT_MNT) {
541 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
542 		if (rc)
543 			goto out_free;
544 		opts->mnt_opts[i] = context;
545 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
546 	}
547 	if (sbsec->flags & DEFCONTEXT_MNT) {
548 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
549 		if (rc)
550 			goto out_free;
551 		opts->mnt_opts[i] = context;
552 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
553 	}
554 	if (sbsec->flags & ROOTCONTEXT_MNT) {
555 		struct inode *root = d_backing_inode(sbsec->sb->s_root);
556 		struct inode_security_struct *isec = root->i_security;
557 
558 		rc = security_sid_to_context(isec->sid, &context, &len);
559 		if (rc)
560 			goto out_free;
561 		opts->mnt_opts[i] = context;
562 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
563 	}
564 	if (sbsec->flags & SBLABEL_MNT) {
565 		opts->mnt_opts[i] = NULL;
566 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
567 	}
568 
569 	BUG_ON(i != opts->num_mnt_opts);
570 
571 	return 0;
572 
573 out_free:
574 	security_free_mnt_opts(opts);
575 	return rc;
576 }
577 
578 static int bad_option(struct superblock_security_struct *sbsec, char flag,
579 		      u32 old_sid, u32 new_sid)
580 {
581 	char mnt_flags = sbsec->flags & SE_MNTMASK;
582 
583 	/* check if the old mount command had the same options */
584 	if (sbsec->flags & SE_SBINITIALIZED)
585 		if (!(sbsec->flags & flag) ||
586 		    (old_sid != new_sid))
587 			return 1;
588 
589 	/* check if we were passed the same options twice,
590 	 * aka someone passed context=a,context=b
591 	 */
592 	if (!(sbsec->flags & SE_SBINITIALIZED))
593 		if (mnt_flags & flag)
594 			return 1;
595 	return 0;
596 }
597 
598 /*
599  * Allow filesystems with binary mount data to explicitly set mount point
600  * labeling information.
601  */
602 static int selinux_set_mnt_opts(struct super_block *sb,
603 				struct security_mnt_opts *opts,
604 				unsigned long kern_flags,
605 				unsigned long *set_kern_flags)
606 {
607 	const struct cred *cred = current_cred();
608 	int rc = 0, i;
609 	struct superblock_security_struct *sbsec = sb->s_security;
610 	const char *name = sb->s_type->name;
611 	struct inode *inode = d_backing_inode(sbsec->sb->s_root);
612 	struct inode_security_struct *root_isec = inode->i_security;
613 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
614 	u32 defcontext_sid = 0;
615 	char **mount_options = opts->mnt_opts;
616 	int *flags = opts->mnt_opts_flags;
617 	int num_opts = opts->num_mnt_opts;
618 
619 	mutex_lock(&sbsec->lock);
620 
621 	if (!ss_initialized) {
622 		if (!num_opts) {
623 			/* Defer initialization until selinux_complete_init,
624 			   after the initial policy is loaded and the security
625 			   server is ready to handle calls. */
626 			goto out;
627 		}
628 		rc = -EINVAL;
629 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
630 			"before the security server is initialized\n");
631 		goto out;
632 	}
633 	if (kern_flags && !set_kern_flags) {
634 		/* Specifying internal flags without providing a place to
635 		 * place the results is not allowed */
636 		rc = -EINVAL;
637 		goto out;
638 	}
639 
640 	/*
641 	 * Binary mount data FS will come through this function twice.  Once
642 	 * from an explicit call and once from the generic calls from the vfs.
643 	 * Since the generic VFS calls will not contain any security mount data
644 	 * we need to skip the double mount verification.
645 	 *
646 	 * This does open a hole in which we will not notice if the first
647 	 * mount using this sb set explict options and a second mount using
648 	 * this sb does not set any security options.  (The first options
649 	 * will be used for both mounts)
650 	 */
651 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
652 	    && (num_opts == 0))
653 		goto out;
654 
655 	/*
656 	 * parse the mount options, check if they are valid sids.
657 	 * also check if someone is trying to mount the same sb more
658 	 * than once with different security options.
659 	 */
660 	for (i = 0; i < num_opts; i++) {
661 		u32 sid;
662 
663 		if (flags[i] == SBLABEL_MNT)
664 			continue;
665 		rc = security_context_to_sid(mount_options[i],
666 					     strlen(mount_options[i]), &sid, GFP_KERNEL);
667 		if (rc) {
668 			printk(KERN_WARNING "SELinux: security_context_to_sid"
669 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
670 			       mount_options[i], sb->s_id, name, rc);
671 			goto out;
672 		}
673 		switch (flags[i]) {
674 		case FSCONTEXT_MNT:
675 			fscontext_sid = sid;
676 
677 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
678 					fscontext_sid))
679 				goto out_double_mount;
680 
681 			sbsec->flags |= FSCONTEXT_MNT;
682 			break;
683 		case CONTEXT_MNT:
684 			context_sid = sid;
685 
686 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
687 					context_sid))
688 				goto out_double_mount;
689 
690 			sbsec->flags |= CONTEXT_MNT;
691 			break;
692 		case ROOTCONTEXT_MNT:
693 			rootcontext_sid = sid;
694 
695 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
696 					rootcontext_sid))
697 				goto out_double_mount;
698 
699 			sbsec->flags |= ROOTCONTEXT_MNT;
700 
701 			break;
702 		case DEFCONTEXT_MNT:
703 			defcontext_sid = sid;
704 
705 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
706 					defcontext_sid))
707 				goto out_double_mount;
708 
709 			sbsec->flags |= DEFCONTEXT_MNT;
710 
711 			break;
712 		default:
713 			rc = -EINVAL;
714 			goto out;
715 		}
716 	}
717 
718 	if (sbsec->flags & SE_SBINITIALIZED) {
719 		/* previously mounted with options, but not on this attempt? */
720 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
721 			goto out_double_mount;
722 		rc = 0;
723 		goto out;
724 	}
725 
726 	if (strcmp(sb->s_type->name, "proc") == 0)
727 		sbsec->flags |= SE_SBPROC;
728 
729 	if (!sbsec->behavior) {
730 		/*
731 		 * Determine the labeling behavior to use for this
732 		 * filesystem type.
733 		 */
734 		rc = security_fs_use(sb);
735 		if (rc) {
736 			printk(KERN_WARNING
737 				"%s: security_fs_use(%s) returned %d\n",
738 					__func__, sb->s_type->name, rc);
739 			goto out;
740 		}
741 	}
742 	/* sets the context of the superblock for the fs being mounted. */
743 	if (fscontext_sid) {
744 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
745 		if (rc)
746 			goto out;
747 
748 		sbsec->sid = fscontext_sid;
749 	}
750 
751 	/*
752 	 * Switch to using mount point labeling behavior.
753 	 * sets the label used on all file below the mountpoint, and will set
754 	 * the superblock context if not already set.
755 	 */
756 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
757 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
758 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
759 	}
760 
761 	if (context_sid) {
762 		if (!fscontext_sid) {
763 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
764 							  cred);
765 			if (rc)
766 				goto out;
767 			sbsec->sid = context_sid;
768 		} else {
769 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
770 							     cred);
771 			if (rc)
772 				goto out;
773 		}
774 		if (!rootcontext_sid)
775 			rootcontext_sid = context_sid;
776 
777 		sbsec->mntpoint_sid = context_sid;
778 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
779 	}
780 
781 	if (rootcontext_sid) {
782 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
783 						     cred);
784 		if (rc)
785 			goto out;
786 
787 		root_isec->sid = rootcontext_sid;
788 		root_isec->initialized = 1;
789 	}
790 
791 	if (defcontext_sid) {
792 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
793 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
794 			rc = -EINVAL;
795 			printk(KERN_WARNING "SELinux: defcontext option is "
796 			       "invalid for this filesystem type\n");
797 			goto out;
798 		}
799 
800 		if (defcontext_sid != sbsec->def_sid) {
801 			rc = may_context_mount_inode_relabel(defcontext_sid,
802 							     sbsec, cred);
803 			if (rc)
804 				goto out;
805 		}
806 
807 		sbsec->def_sid = defcontext_sid;
808 	}
809 
810 	rc = sb_finish_set_opts(sb);
811 out:
812 	mutex_unlock(&sbsec->lock);
813 	return rc;
814 out_double_mount:
815 	rc = -EINVAL;
816 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
817 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
818 	goto out;
819 }
820 
821 static int selinux_cmp_sb_context(const struct super_block *oldsb,
822 				    const struct super_block *newsb)
823 {
824 	struct superblock_security_struct *old = oldsb->s_security;
825 	struct superblock_security_struct *new = newsb->s_security;
826 	char oldflags = old->flags & SE_MNTMASK;
827 	char newflags = new->flags & SE_MNTMASK;
828 
829 	if (oldflags != newflags)
830 		goto mismatch;
831 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
832 		goto mismatch;
833 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
834 		goto mismatch;
835 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
836 		goto mismatch;
837 	if (oldflags & ROOTCONTEXT_MNT) {
838 		struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
839 		struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
840 		if (oldroot->sid != newroot->sid)
841 			goto mismatch;
842 	}
843 	return 0;
844 mismatch:
845 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
846 			    "different security settings for (dev %s, "
847 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
848 	return -EBUSY;
849 }
850 
851 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
852 					struct super_block *newsb)
853 {
854 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
855 	struct superblock_security_struct *newsbsec = newsb->s_security;
856 
857 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
858 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
859 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
860 
861 	/*
862 	 * if the parent was able to be mounted it clearly had no special lsm
863 	 * mount options.  thus we can safely deal with this superblock later
864 	 */
865 	if (!ss_initialized)
866 		return 0;
867 
868 	/* how can we clone if the old one wasn't set up?? */
869 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
870 
871 	/* if fs is reusing a sb, make sure that the contexts match */
872 	if (newsbsec->flags & SE_SBINITIALIZED)
873 		return selinux_cmp_sb_context(oldsb, newsb);
874 
875 	mutex_lock(&newsbsec->lock);
876 
877 	newsbsec->flags = oldsbsec->flags;
878 
879 	newsbsec->sid = oldsbsec->sid;
880 	newsbsec->def_sid = oldsbsec->def_sid;
881 	newsbsec->behavior = oldsbsec->behavior;
882 
883 	if (set_context) {
884 		u32 sid = oldsbsec->mntpoint_sid;
885 
886 		if (!set_fscontext)
887 			newsbsec->sid = sid;
888 		if (!set_rootcontext) {
889 			struct inode *newinode = d_backing_inode(newsb->s_root);
890 			struct inode_security_struct *newisec = newinode->i_security;
891 			newisec->sid = sid;
892 		}
893 		newsbsec->mntpoint_sid = sid;
894 	}
895 	if (set_rootcontext) {
896 		const struct inode *oldinode = d_backing_inode(oldsb->s_root);
897 		const struct inode_security_struct *oldisec = oldinode->i_security;
898 		struct inode *newinode = d_backing_inode(newsb->s_root);
899 		struct inode_security_struct *newisec = newinode->i_security;
900 
901 		newisec->sid = oldisec->sid;
902 	}
903 
904 	sb_finish_set_opts(newsb);
905 	mutex_unlock(&newsbsec->lock);
906 	return 0;
907 }
908 
909 static int selinux_parse_opts_str(char *options,
910 				  struct security_mnt_opts *opts)
911 {
912 	char *p;
913 	char *context = NULL, *defcontext = NULL;
914 	char *fscontext = NULL, *rootcontext = NULL;
915 	int rc, num_mnt_opts = 0;
916 
917 	opts->num_mnt_opts = 0;
918 
919 	/* Standard string-based options. */
920 	while ((p = strsep(&options, "|")) != NULL) {
921 		int token;
922 		substring_t args[MAX_OPT_ARGS];
923 
924 		if (!*p)
925 			continue;
926 
927 		token = match_token(p, tokens, args);
928 
929 		switch (token) {
930 		case Opt_context:
931 			if (context || defcontext) {
932 				rc = -EINVAL;
933 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
934 				goto out_err;
935 			}
936 			context = match_strdup(&args[0]);
937 			if (!context) {
938 				rc = -ENOMEM;
939 				goto out_err;
940 			}
941 			break;
942 
943 		case Opt_fscontext:
944 			if (fscontext) {
945 				rc = -EINVAL;
946 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
947 				goto out_err;
948 			}
949 			fscontext = match_strdup(&args[0]);
950 			if (!fscontext) {
951 				rc = -ENOMEM;
952 				goto out_err;
953 			}
954 			break;
955 
956 		case Opt_rootcontext:
957 			if (rootcontext) {
958 				rc = -EINVAL;
959 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
960 				goto out_err;
961 			}
962 			rootcontext = match_strdup(&args[0]);
963 			if (!rootcontext) {
964 				rc = -ENOMEM;
965 				goto out_err;
966 			}
967 			break;
968 
969 		case Opt_defcontext:
970 			if (context || defcontext) {
971 				rc = -EINVAL;
972 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
973 				goto out_err;
974 			}
975 			defcontext = match_strdup(&args[0]);
976 			if (!defcontext) {
977 				rc = -ENOMEM;
978 				goto out_err;
979 			}
980 			break;
981 		case Opt_labelsupport:
982 			break;
983 		default:
984 			rc = -EINVAL;
985 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
986 			goto out_err;
987 
988 		}
989 	}
990 
991 	rc = -ENOMEM;
992 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
993 	if (!opts->mnt_opts)
994 		goto out_err;
995 
996 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
997 	if (!opts->mnt_opts_flags) {
998 		kfree(opts->mnt_opts);
999 		goto out_err;
1000 	}
1001 
1002 	if (fscontext) {
1003 		opts->mnt_opts[num_mnt_opts] = fscontext;
1004 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1005 	}
1006 	if (context) {
1007 		opts->mnt_opts[num_mnt_opts] = context;
1008 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1009 	}
1010 	if (rootcontext) {
1011 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1012 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1013 	}
1014 	if (defcontext) {
1015 		opts->mnt_opts[num_mnt_opts] = defcontext;
1016 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1017 	}
1018 
1019 	opts->num_mnt_opts = num_mnt_opts;
1020 	return 0;
1021 
1022 out_err:
1023 	kfree(context);
1024 	kfree(defcontext);
1025 	kfree(fscontext);
1026 	kfree(rootcontext);
1027 	return rc;
1028 }
1029 /*
1030  * string mount options parsing and call set the sbsec
1031  */
1032 static int superblock_doinit(struct super_block *sb, void *data)
1033 {
1034 	int rc = 0;
1035 	char *options = data;
1036 	struct security_mnt_opts opts;
1037 
1038 	security_init_mnt_opts(&opts);
1039 
1040 	if (!data)
1041 		goto out;
1042 
1043 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1044 
1045 	rc = selinux_parse_opts_str(options, &opts);
1046 	if (rc)
1047 		goto out_err;
1048 
1049 out:
1050 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1051 
1052 out_err:
1053 	security_free_mnt_opts(&opts);
1054 	return rc;
1055 }
1056 
1057 static void selinux_write_opts(struct seq_file *m,
1058 			       struct security_mnt_opts *opts)
1059 {
1060 	int i;
1061 	char *prefix;
1062 
1063 	for (i = 0; i < opts->num_mnt_opts; i++) {
1064 		char *has_comma;
1065 
1066 		if (opts->mnt_opts[i])
1067 			has_comma = strchr(opts->mnt_opts[i], ',');
1068 		else
1069 			has_comma = NULL;
1070 
1071 		switch (opts->mnt_opts_flags[i]) {
1072 		case CONTEXT_MNT:
1073 			prefix = CONTEXT_STR;
1074 			break;
1075 		case FSCONTEXT_MNT:
1076 			prefix = FSCONTEXT_STR;
1077 			break;
1078 		case ROOTCONTEXT_MNT:
1079 			prefix = ROOTCONTEXT_STR;
1080 			break;
1081 		case DEFCONTEXT_MNT:
1082 			prefix = DEFCONTEXT_STR;
1083 			break;
1084 		case SBLABEL_MNT:
1085 			seq_putc(m, ',');
1086 			seq_puts(m, LABELSUPP_STR);
1087 			continue;
1088 		default:
1089 			BUG();
1090 			return;
1091 		};
1092 		/* we need a comma before each option */
1093 		seq_putc(m, ',');
1094 		seq_puts(m, prefix);
1095 		if (has_comma)
1096 			seq_putc(m, '\"');
1097 		seq_puts(m, opts->mnt_opts[i]);
1098 		if (has_comma)
1099 			seq_putc(m, '\"');
1100 	}
1101 }
1102 
1103 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1104 {
1105 	struct security_mnt_opts opts;
1106 	int rc;
1107 
1108 	rc = selinux_get_mnt_opts(sb, &opts);
1109 	if (rc) {
1110 		/* before policy load we may get EINVAL, don't show anything */
1111 		if (rc == -EINVAL)
1112 			rc = 0;
1113 		return rc;
1114 	}
1115 
1116 	selinux_write_opts(m, &opts);
1117 
1118 	security_free_mnt_opts(&opts);
1119 
1120 	return rc;
1121 }
1122 
1123 static inline u16 inode_mode_to_security_class(umode_t mode)
1124 {
1125 	switch (mode & S_IFMT) {
1126 	case S_IFSOCK:
1127 		return SECCLASS_SOCK_FILE;
1128 	case S_IFLNK:
1129 		return SECCLASS_LNK_FILE;
1130 	case S_IFREG:
1131 		return SECCLASS_FILE;
1132 	case S_IFBLK:
1133 		return SECCLASS_BLK_FILE;
1134 	case S_IFDIR:
1135 		return SECCLASS_DIR;
1136 	case S_IFCHR:
1137 		return SECCLASS_CHR_FILE;
1138 	case S_IFIFO:
1139 		return SECCLASS_FIFO_FILE;
1140 
1141 	}
1142 
1143 	return SECCLASS_FILE;
1144 }
1145 
1146 static inline int default_protocol_stream(int protocol)
1147 {
1148 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1149 }
1150 
1151 static inline int default_protocol_dgram(int protocol)
1152 {
1153 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1154 }
1155 
1156 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1157 {
1158 	switch (family) {
1159 	case PF_UNIX:
1160 		switch (type) {
1161 		case SOCK_STREAM:
1162 		case SOCK_SEQPACKET:
1163 			return SECCLASS_UNIX_STREAM_SOCKET;
1164 		case SOCK_DGRAM:
1165 			return SECCLASS_UNIX_DGRAM_SOCKET;
1166 		}
1167 		break;
1168 	case PF_INET:
1169 	case PF_INET6:
1170 		switch (type) {
1171 		case SOCK_STREAM:
1172 			if (default_protocol_stream(protocol))
1173 				return SECCLASS_TCP_SOCKET;
1174 			else
1175 				return SECCLASS_RAWIP_SOCKET;
1176 		case SOCK_DGRAM:
1177 			if (default_protocol_dgram(protocol))
1178 				return SECCLASS_UDP_SOCKET;
1179 			else
1180 				return SECCLASS_RAWIP_SOCKET;
1181 		case SOCK_DCCP:
1182 			return SECCLASS_DCCP_SOCKET;
1183 		default:
1184 			return SECCLASS_RAWIP_SOCKET;
1185 		}
1186 		break;
1187 	case PF_NETLINK:
1188 		switch (protocol) {
1189 		case NETLINK_ROUTE:
1190 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1191 		case NETLINK_FIREWALL:
1192 			return SECCLASS_NETLINK_FIREWALL_SOCKET;
1193 		case NETLINK_SOCK_DIAG:
1194 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1195 		case NETLINK_NFLOG:
1196 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1197 		case NETLINK_XFRM:
1198 			return SECCLASS_NETLINK_XFRM_SOCKET;
1199 		case NETLINK_SELINUX:
1200 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1201 		case NETLINK_AUDIT:
1202 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1203 		case NETLINK_IP6_FW:
1204 			return SECCLASS_NETLINK_IP6FW_SOCKET;
1205 		case NETLINK_DNRTMSG:
1206 			return SECCLASS_NETLINK_DNRT_SOCKET;
1207 		case NETLINK_KOBJECT_UEVENT:
1208 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1209 		default:
1210 			return SECCLASS_NETLINK_SOCKET;
1211 		}
1212 	case PF_PACKET:
1213 		return SECCLASS_PACKET_SOCKET;
1214 	case PF_KEY:
1215 		return SECCLASS_KEY_SOCKET;
1216 	case PF_APPLETALK:
1217 		return SECCLASS_APPLETALK_SOCKET;
1218 	}
1219 
1220 	return SECCLASS_SOCKET;
1221 }
1222 
1223 #ifdef CONFIG_PROC_FS
1224 static int selinux_proc_get_sid(struct dentry *dentry,
1225 				u16 tclass,
1226 				u32 *sid)
1227 {
1228 	int rc;
1229 	char *buffer, *path;
1230 
1231 	buffer = (char *)__get_free_page(GFP_KERNEL);
1232 	if (!buffer)
1233 		return -ENOMEM;
1234 
1235 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1236 	if (IS_ERR(path))
1237 		rc = PTR_ERR(path);
1238 	else {
1239 		/* each process gets a /proc/PID/ entry. Strip off the
1240 		 * PID part to get a valid selinux labeling.
1241 		 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1242 		while (path[1] >= '0' && path[1] <= '9') {
1243 			path[1] = '/';
1244 			path++;
1245 		}
1246 		rc = security_genfs_sid("proc", path, tclass, sid);
1247 	}
1248 	free_page((unsigned long)buffer);
1249 	return rc;
1250 }
1251 #else
1252 static int selinux_proc_get_sid(struct dentry *dentry,
1253 				u16 tclass,
1254 				u32 *sid)
1255 {
1256 	return -EINVAL;
1257 }
1258 #endif
1259 
1260 /* The inode's security attributes must be initialized before first use. */
1261 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1262 {
1263 	struct superblock_security_struct *sbsec = NULL;
1264 	struct inode_security_struct *isec = inode->i_security;
1265 	u32 sid;
1266 	struct dentry *dentry;
1267 #define INITCONTEXTLEN 255
1268 	char *context = NULL;
1269 	unsigned len = 0;
1270 	int rc = 0;
1271 
1272 	if (isec->initialized)
1273 		goto out;
1274 
1275 	mutex_lock(&isec->lock);
1276 	if (isec->initialized)
1277 		goto out_unlock;
1278 
1279 	sbsec = inode->i_sb->s_security;
1280 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1281 		/* Defer initialization until selinux_complete_init,
1282 		   after the initial policy is loaded and the security
1283 		   server is ready to handle calls. */
1284 		spin_lock(&sbsec->isec_lock);
1285 		if (list_empty(&isec->list))
1286 			list_add(&isec->list, &sbsec->isec_head);
1287 		spin_unlock(&sbsec->isec_lock);
1288 		goto out_unlock;
1289 	}
1290 
1291 	switch (sbsec->behavior) {
1292 	case SECURITY_FS_USE_NATIVE:
1293 		break;
1294 	case SECURITY_FS_USE_XATTR:
1295 		if (!inode->i_op->getxattr) {
1296 			isec->sid = sbsec->def_sid;
1297 			break;
1298 		}
1299 
1300 		/* Need a dentry, since the xattr API requires one.
1301 		   Life would be simpler if we could just pass the inode. */
1302 		if (opt_dentry) {
1303 			/* Called from d_instantiate or d_splice_alias. */
1304 			dentry = dget(opt_dentry);
1305 		} else {
1306 			/* Called from selinux_complete_init, try to find a dentry. */
1307 			dentry = d_find_alias(inode);
1308 		}
1309 		if (!dentry) {
1310 			/*
1311 			 * this is can be hit on boot when a file is accessed
1312 			 * before the policy is loaded.  When we load policy we
1313 			 * may find inodes that have no dentry on the
1314 			 * sbsec->isec_head list.  No reason to complain as these
1315 			 * will get fixed up the next time we go through
1316 			 * inode_doinit with a dentry, before these inodes could
1317 			 * be used again by userspace.
1318 			 */
1319 			goto out_unlock;
1320 		}
1321 
1322 		len = INITCONTEXTLEN;
1323 		context = kmalloc(len+1, GFP_NOFS);
1324 		if (!context) {
1325 			rc = -ENOMEM;
1326 			dput(dentry);
1327 			goto out_unlock;
1328 		}
1329 		context[len] = '\0';
1330 		rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1331 					   context, len);
1332 		if (rc == -ERANGE) {
1333 			kfree(context);
1334 
1335 			/* Need a larger buffer.  Query for the right size. */
1336 			rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1337 						   NULL, 0);
1338 			if (rc < 0) {
1339 				dput(dentry);
1340 				goto out_unlock;
1341 			}
1342 			len = rc;
1343 			context = kmalloc(len+1, GFP_NOFS);
1344 			if (!context) {
1345 				rc = -ENOMEM;
1346 				dput(dentry);
1347 				goto out_unlock;
1348 			}
1349 			context[len] = '\0';
1350 			rc = inode->i_op->getxattr(dentry,
1351 						   XATTR_NAME_SELINUX,
1352 						   context, len);
1353 		}
1354 		dput(dentry);
1355 		if (rc < 0) {
1356 			if (rc != -ENODATA) {
1357 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1358 				       "%d for dev=%s ino=%ld\n", __func__,
1359 				       -rc, inode->i_sb->s_id, inode->i_ino);
1360 				kfree(context);
1361 				goto out_unlock;
1362 			}
1363 			/* Map ENODATA to the default file SID */
1364 			sid = sbsec->def_sid;
1365 			rc = 0;
1366 		} else {
1367 			rc = security_context_to_sid_default(context, rc, &sid,
1368 							     sbsec->def_sid,
1369 							     GFP_NOFS);
1370 			if (rc) {
1371 				char *dev = inode->i_sb->s_id;
1372 				unsigned long ino = inode->i_ino;
1373 
1374 				if (rc == -EINVAL) {
1375 					if (printk_ratelimit())
1376 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1377 							"context=%s.  This indicates you may need to relabel the inode or the "
1378 							"filesystem in question.\n", ino, dev, context);
1379 				} else {
1380 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1381 					       "returned %d for dev=%s ino=%ld\n",
1382 					       __func__, context, -rc, dev, ino);
1383 				}
1384 				kfree(context);
1385 				/* Leave with the unlabeled SID */
1386 				rc = 0;
1387 				break;
1388 			}
1389 		}
1390 		kfree(context);
1391 		isec->sid = sid;
1392 		break;
1393 	case SECURITY_FS_USE_TASK:
1394 		isec->sid = isec->task_sid;
1395 		break;
1396 	case SECURITY_FS_USE_TRANS:
1397 		/* Default to the fs SID. */
1398 		isec->sid = sbsec->sid;
1399 
1400 		/* Try to obtain a transition SID. */
1401 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1402 		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1403 					     isec->sclass, NULL, &sid);
1404 		if (rc)
1405 			goto out_unlock;
1406 		isec->sid = sid;
1407 		break;
1408 	case SECURITY_FS_USE_MNTPOINT:
1409 		isec->sid = sbsec->mntpoint_sid;
1410 		break;
1411 	default:
1412 		/* Default to the fs superblock SID. */
1413 		isec->sid = sbsec->sid;
1414 
1415 		if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1416 			/* We must have a dentry to determine the label on
1417 			 * procfs inodes */
1418 			if (opt_dentry)
1419 				/* Called from d_instantiate or
1420 				 * d_splice_alias. */
1421 				dentry = dget(opt_dentry);
1422 			else
1423 				/* Called from selinux_complete_init, try to
1424 				 * find a dentry. */
1425 				dentry = d_find_alias(inode);
1426 			/*
1427 			 * This can be hit on boot when a file is accessed
1428 			 * before the policy is loaded.  When we load policy we
1429 			 * may find inodes that have no dentry on the
1430 			 * sbsec->isec_head list.  No reason to complain as
1431 			 * these will get fixed up the next time we go through
1432 			 * inode_doinit() with a dentry, before these inodes
1433 			 * could be used again by userspace.
1434 			 */
1435 			if (!dentry)
1436 				goto out_unlock;
1437 			isec->sclass = inode_mode_to_security_class(inode->i_mode);
1438 			rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1439 			dput(dentry);
1440 			if (rc)
1441 				goto out_unlock;
1442 			isec->sid = sid;
1443 		}
1444 		break;
1445 	}
1446 
1447 	isec->initialized = 1;
1448 
1449 out_unlock:
1450 	mutex_unlock(&isec->lock);
1451 out:
1452 	if (isec->sclass == SECCLASS_FILE)
1453 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1454 	return rc;
1455 }
1456 
1457 /* Convert a Linux signal to an access vector. */
1458 static inline u32 signal_to_av(int sig)
1459 {
1460 	u32 perm = 0;
1461 
1462 	switch (sig) {
1463 	case SIGCHLD:
1464 		/* Commonly granted from child to parent. */
1465 		perm = PROCESS__SIGCHLD;
1466 		break;
1467 	case SIGKILL:
1468 		/* Cannot be caught or ignored */
1469 		perm = PROCESS__SIGKILL;
1470 		break;
1471 	case SIGSTOP:
1472 		/* Cannot be caught or ignored */
1473 		perm = PROCESS__SIGSTOP;
1474 		break;
1475 	default:
1476 		/* All other signals. */
1477 		perm = PROCESS__SIGNAL;
1478 		break;
1479 	}
1480 
1481 	return perm;
1482 }
1483 
1484 /*
1485  * Check permission between a pair of credentials
1486  * fork check, ptrace check, etc.
1487  */
1488 static int cred_has_perm(const struct cred *actor,
1489 			 const struct cred *target,
1490 			 u32 perms)
1491 {
1492 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1493 
1494 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1495 }
1496 
1497 /*
1498  * Check permission between a pair of tasks, e.g. signal checks,
1499  * fork check, ptrace check, etc.
1500  * tsk1 is the actor and tsk2 is the target
1501  * - this uses the default subjective creds of tsk1
1502  */
1503 static int task_has_perm(const struct task_struct *tsk1,
1504 			 const struct task_struct *tsk2,
1505 			 u32 perms)
1506 {
1507 	const struct task_security_struct *__tsec1, *__tsec2;
1508 	u32 sid1, sid2;
1509 
1510 	rcu_read_lock();
1511 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1512 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1513 	rcu_read_unlock();
1514 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1515 }
1516 
1517 /*
1518  * Check permission between current and another task, e.g. signal checks,
1519  * fork check, ptrace check, etc.
1520  * current is the actor and tsk2 is the target
1521  * - this uses current's subjective creds
1522  */
1523 static int current_has_perm(const struct task_struct *tsk,
1524 			    u32 perms)
1525 {
1526 	u32 sid, tsid;
1527 
1528 	sid = current_sid();
1529 	tsid = task_sid(tsk);
1530 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1531 }
1532 
1533 #if CAP_LAST_CAP > 63
1534 #error Fix SELinux to handle capabilities > 63.
1535 #endif
1536 
1537 /* Check whether a task is allowed to use a capability. */
1538 static int cred_has_capability(const struct cred *cred,
1539 			       int cap, int audit)
1540 {
1541 	struct common_audit_data ad;
1542 	struct av_decision avd;
1543 	u16 sclass;
1544 	u32 sid = cred_sid(cred);
1545 	u32 av = CAP_TO_MASK(cap);
1546 	int rc;
1547 
1548 	ad.type = LSM_AUDIT_DATA_CAP;
1549 	ad.u.cap = cap;
1550 
1551 	switch (CAP_TO_INDEX(cap)) {
1552 	case 0:
1553 		sclass = SECCLASS_CAPABILITY;
1554 		break;
1555 	case 1:
1556 		sclass = SECCLASS_CAPABILITY2;
1557 		break;
1558 	default:
1559 		printk(KERN_ERR
1560 		       "SELinux:  out of range capability %d\n", cap);
1561 		BUG();
1562 		return -EINVAL;
1563 	}
1564 
1565 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1566 	if (audit == SECURITY_CAP_AUDIT) {
1567 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1568 		if (rc2)
1569 			return rc2;
1570 	}
1571 	return rc;
1572 }
1573 
1574 /* Check whether a task is allowed to use a system operation. */
1575 static int task_has_system(struct task_struct *tsk,
1576 			   u32 perms)
1577 {
1578 	u32 sid = task_sid(tsk);
1579 
1580 	return avc_has_perm(sid, SECINITSID_KERNEL,
1581 			    SECCLASS_SYSTEM, perms, NULL);
1582 }
1583 
1584 /* Check whether a task has a particular permission to an inode.
1585    The 'adp' parameter is optional and allows other audit
1586    data to be passed (e.g. the dentry). */
1587 static int inode_has_perm(const struct cred *cred,
1588 			  struct inode *inode,
1589 			  u32 perms,
1590 			  struct common_audit_data *adp)
1591 {
1592 	struct inode_security_struct *isec;
1593 	u32 sid;
1594 
1595 	validate_creds(cred);
1596 
1597 	if (unlikely(IS_PRIVATE(inode)))
1598 		return 0;
1599 
1600 	sid = cred_sid(cred);
1601 	isec = inode->i_security;
1602 
1603 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1604 }
1605 
1606 /* Same as inode_has_perm, but pass explicit audit data containing
1607    the dentry to help the auditing code to more easily generate the
1608    pathname if needed. */
1609 static inline int dentry_has_perm(const struct cred *cred,
1610 				  struct dentry *dentry,
1611 				  u32 av)
1612 {
1613 	struct inode *inode = d_backing_inode(dentry);
1614 	struct common_audit_data ad;
1615 
1616 	ad.type = LSM_AUDIT_DATA_DENTRY;
1617 	ad.u.dentry = dentry;
1618 	return inode_has_perm(cred, inode, av, &ad);
1619 }
1620 
1621 /* Same as inode_has_perm, but pass explicit audit data containing
1622    the path to help the auditing code to more easily generate the
1623    pathname if needed. */
1624 static inline int path_has_perm(const struct cred *cred,
1625 				const struct path *path,
1626 				u32 av)
1627 {
1628 	struct inode *inode = d_backing_inode(path->dentry);
1629 	struct common_audit_data ad;
1630 
1631 	ad.type = LSM_AUDIT_DATA_PATH;
1632 	ad.u.path = *path;
1633 	return inode_has_perm(cred, inode, av, &ad);
1634 }
1635 
1636 /* Same as path_has_perm, but uses the inode from the file struct. */
1637 static inline int file_path_has_perm(const struct cred *cred,
1638 				     struct file *file,
1639 				     u32 av)
1640 {
1641 	struct common_audit_data ad;
1642 
1643 	ad.type = LSM_AUDIT_DATA_PATH;
1644 	ad.u.path = file->f_path;
1645 	return inode_has_perm(cred, file_inode(file), av, &ad);
1646 }
1647 
1648 /* Check whether a task can use an open file descriptor to
1649    access an inode in a given way.  Check access to the
1650    descriptor itself, and then use dentry_has_perm to
1651    check a particular permission to the file.
1652    Access to the descriptor is implicitly granted if it
1653    has the same SID as the process.  If av is zero, then
1654    access to the file is not checked, e.g. for cases
1655    where only the descriptor is affected like seek. */
1656 static int file_has_perm(const struct cred *cred,
1657 			 struct file *file,
1658 			 u32 av)
1659 {
1660 	struct file_security_struct *fsec = file->f_security;
1661 	struct inode *inode = file_inode(file);
1662 	struct common_audit_data ad;
1663 	u32 sid = cred_sid(cred);
1664 	int rc;
1665 
1666 	ad.type = LSM_AUDIT_DATA_PATH;
1667 	ad.u.path = file->f_path;
1668 
1669 	if (sid != fsec->sid) {
1670 		rc = avc_has_perm(sid, fsec->sid,
1671 				  SECCLASS_FD,
1672 				  FD__USE,
1673 				  &ad);
1674 		if (rc)
1675 			goto out;
1676 	}
1677 
1678 	/* av is zero if only checking access to the descriptor. */
1679 	rc = 0;
1680 	if (av)
1681 		rc = inode_has_perm(cred, inode, av, &ad);
1682 
1683 out:
1684 	return rc;
1685 }
1686 
1687 /* Check whether a task can create a file. */
1688 static int may_create(struct inode *dir,
1689 		      struct dentry *dentry,
1690 		      u16 tclass)
1691 {
1692 	const struct task_security_struct *tsec = current_security();
1693 	struct inode_security_struct *dsec;
1694 	struct superblock_security_struct *sbsec;
1695 	u32 sid, newsid;
1696 	struct common_audit_data ad;
1697 	int rc;
1698 
1699 	dsec = dir->i_security;
1700 	sbsec = dir->i_sb->s_security;
1701 
1702 	sid = tsec->sid;
1703 	newsid = tsec->create_sid;
1704 
1705 	ad.type = LSM_AUDIT_DATA_DENTRY;
1706 	ad.u.dentry = dentry;
1707 
1708 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1709 			  DIR__ADD_NAME | DIR__SEARCH,
1710 			  &ad);
1711 	if (rc)
1712 		return rc;
1713 
1714 	if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1715 		rc = security_transition_sid(sid, dsec->sid, tclass,
1716 					     &dentry->d_name, &newsid);
1717 		if (rc)
1718 			return rc;
1719 	}
1720 
1721 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1722 	if (rc)
1723 		return rc;
1724 
1725 	return avc_has_perm(newsid, sbsec->sid,
1726 			    SECCLASS_FILESYSTEM,
1727 			    FILESYSTEM__ASSOCIATE, &ad);
1728 }
1729 
1730 /* Check whether a task can create a key. */
1731 static int may_create_key(u32 ksid,
1732 			  struct task_struct *ctx)
1733 {
1734 	u32 sid = task_sid(ctx);
1735 
1736 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1737 }
1738 
1739 #define MAY_LINK	0
1740 #define MAY_UNLINK	1
1741 #define MAY_RMDIR	2
1742 
1743 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1744 static int may_link(struct inode *dir,
1745 		    struct dentry *dentry,
1746 		    int kind)
1747 
1748 {
1749 	struct inode_security_struct *dsec, *isec;
1750 	struct common_audit_data ad;
1751 	u32 sid = current_sid();
1752 	u32 av;
1753 	int rc;
1754 
1755 	dsec = dir->i_security;
1756 	isec = d_backing_inode(dentry)->i_security;
1757 
1758 	ad.type = LSM_AUDIT_DATA_DENTRY;
1759 	ad.u.dentry = dentry;
1760 
1761 	av = DIR__SEARCH;
1762 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1763 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1764 	if (rc)
1765 		return rc;
1766 
1767 	switch (kind) {
1768 	case MAY_LINK:
1769 		av = FILE__LINK;
1770 		break;
1771 	case MAY_UNLINK:
1772 		av = FILE__UNLINK;
1773 		break;
1774 	case MAY_RMDIR:
1775 		av = DIR__RMDIR;
1776 		break;
1777 	default:
1778 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1779 			__func__, kind);
1780 		return 0;
1781 	}
1782 
1783 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1784 	return rc;
1785 }
1786 
1787 static inline int may_rename(struct inode *old_dir,
1788 			     struct dentry *old_dentry,
1789 			     struct inode *new_dir,
1790 			     struct dentry *new_dentry)
1791 {
1792 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1793 	struct common_audit_data ad;
1794 	u32 sid = current_sid();
1795 	u32 av;
1796 	int old_is_dir, new_is_dir;
1797 	int rc;
1798 
1799 	old_dsec = old_dir->i_security;
1800 	old_isec = d_backing_inode(old_dentry)->i_security;
1801 	old_is_dir = d_is_dir(old_dentry);
1802 	new_dsec = new_dir->i_security;
1803 
1804 	ad.type = LSM_AUDIT_DATA_DENTRY;
1805 
1806 	ad.u.dentry = old_dentry;
1807 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1808 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1809 	if (rc)
1810 		return rc;
1811 	rc = avc_has_perm(sid, old_isec->sid,
1812 			  old_isec->sclass, FILE__RENAME, &ad);
1813 	if (rc)
1814 		return rc;
1815 	if (old_is_dir && new_dir != old_dir) {
1816 		rc = avc_has_perm(sid, old_isec->sid,
1817 				  old_isec->sclass, DIR__REPARENT, &ad);
1818 		if (rc)
1819 			return rc;
1820 	}
1821 
1822 	ad.u.dentry = new_dentry;
1823 	av = DIR__ADD_NAME | DIR__SEARCH;
1824 	if (d_is_positive(new_dentry))
1825 		av |= DIR__REMOVE_NAME;
1826 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1827 	if (rc)
1828 		return rc;
1829 	if (d_is_positive(new_dentry)) {
1830 		new_isec = d_backing_inode(new_dentry)->i_security;
1831 		new_is_dir = d_is_dir(new_dentry);
1832 		rc = avc_has_perm(sid, new_isec->sid,
1833 				  new_isec->sclass,
1834 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1835 		if (rc)
1836 			return rc;
1837 	}
1838 
1839 	return 0;
1840 }
1841 
1842 /* Check whether a task can perform a filesystem operation. */
1843 static int superblock_has_perm(const struct cred *cred,
1844 			       struct super_block *sb,
1845 			       u32 perms,
1846 			       struct common_audit_data *ad)
1847 {
1848 	struct superblock_security_struct *sbsec;
1849 	u32 sid = cred_sid(cred);
1850 
1851 	sbsec = sb->s_security;
1852 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1853 }
1854 
1855 /* Convert a Linux mode and permission mask to an access vector. */
1856 static inline u32 file_mask_to_av(int mode, int mask)
1857 {
1858 	u32 av = 0;
1859 
1860 	if (!S_ISDIR(mode)) {
1861 		if (mask & MAY_EXEC)
1862 			av |= FILE__EXECUTE;
1863 		if (mask & MAY_READ)
1864 			av |= FILE__READ;
1865 
1866 		if (mask & MAY_APPEND)
1867 			av |= FILE__APPEND;
1868 		else if (mask & MAY_WRITE)
1869 			av |= FILE__WRITE;
1870 
1871 	} else {
1872 		if (mask & MAY_EXEC)
1873 			av |= DIR__SEARCH;
1874 		if (mask & MAY_WRITE)
1875 			av |= DIR__WRITE;
1876 		if (mask & MAY_READ)
1877 			av |= DIR__READ;
1878 	}
1879 
1880 	return av;
1881 }
1882 
1883 /* Convert a Linux file to an access vector. */
1884 static inline u32 file_to_av(struct file *file)
1885 {
1886 	u32 av = 0;
1887 
1888 	if (file->f_mode & FMODE_READ)
1889 		av |= FILE__READ;
1890 	if (file->f_mode & FMODE_WRITE) {
1891 		if (file->f_flags & O_APPEND)
1892 			av |= FILE__APPEND;
1893 		else
1894 			av |= FILE__WRITE;
1895 	}
1896 	if (!av) {
1897 		/*
1898 		 * Special file opened with flags 3 for ioctl-only use.
1899 		 */
1900 		av = FILE__IOCTL;
1901 	}
1902 
1903 	return av;
1904 }
1905 
1906 /*
1907  * Convert a file to an access vector and include the correct open
1908  * open permission.
1909  */
1910 static inline u32 open_file_to_av(struct file *file)
1911 {
1912 	u32 av = file_to_av(file);
1913 
1914 	if (selinux_policycap_openperm)
1915 		av |= FILE__OPEN;
1916 
1917 	return av;
1918 }
1919 
1920 /* Hook functions begin here. */
1921 
1922 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1923 {
1924 	u32 mysid = current_sid();
1925 	u32 mgrsid = task_sid(mgr);
1926 
1927 	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1928 			    BINDER__SET_CONTEXT_MGR, NULL);
1929 }
1930 
1931 static int selinux_binder_transaction(struct task_struct *from,
1932 				      struct task_struct *to)
1933 {
1934 	u32 mysid = current_sid();
1935 	u32 fromsid = task_sid(from);
1936 	u32 tosid = task_sid(to);
1937 	int rc;
1938 
1939 	if (mysid != fromsid) {
1940 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1941 				  BINDER__IMPERSONATE, NULL);
1942 		if (rc)
1943 			return rc;
1944 	}
1945 
1946 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1947 			    NULL);
1948 }
1949 
1950 static int selinux_binder_transfer_binder(struct task_struct *from,
1951 					  struct task_struct *to)
1952 {
1953 	u32 fromsid = task_sid(from);
1954 	u32 tosid = task_sid(to);
1955 
1956 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1957 			    NULL);
1958 }
1959 
1960 static int selinux_binder_transfer_file(struct task_struct *from,
1961 					struct task_struct *to,
1962 					struct file *file)
1963 {
1964 	u32 sid = task_sid(to);
1965 	struct file_security_struct *fsec = file->f_security;
1966 	struct inode *inode = d_backing_inode(file->f_path.dentry);
1967 	struct inode_security_struct *isec = inode->i_security;
1968 	struct common_audit_data ad;
1969 	int rc;
1970 
1971 	ad.type = LSM_AUDIT_DATA_PATH;
1972 	ad.u.path = file->f_path;
1973 
1974 	if (sid != fsec->sid) {
1975 		rc = avc_has_perm(sid, fsec->sid,
1976 				  SECCLASS_FD,
1977 				  FD__USE,
1978 				  &ad);
1979 		if (rc)
1980 			return rc;
1981 	}
1982 
1983 	if (unlikely(IS_PRIVATE(inode)))
1984 		return 0;
1985 
1986 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1987 			    &ad);
1988 }
1989 
1990 static int selinux_ptrace_access_check(struct task_struct *child,
1991 				     unsigned int mode)
1992 {
1993 	int rc;
1994 
1995 	rc = cap_ptrace_access_check(child, mode);
1996 	if (rc)
1997 		return rc;
1998 
1999 	if (mode & PTRACE_MODE_READ) {
2000 		u32 sid = current_sid();
2001 		u32 csid = task_sid(child);
2002 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2003 	}
2004 
2005 	return current_has_perm(child, PROCESS__PTRACE);
2006 }
2007 
2008 static int selinux_ptrace_traceme(struct task_struct *parent)
2009 {
2010 	int rc;
2011 
2012 	rc = cap_ptrace_traceme(parent);
2013 	if (rc)
2014 		return rc;
2015 
2016 	return task_has_perm(parent, current, PROCESS__PTRACE);
2017 }
2018 
2019 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2020 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2021 {
2022 	int error;
2023 
2024 	error = current_has_perm(target, PROCESS__GETCAP);
2025 	if (error)
2026 		return error;
2027 
2028 	return cap_capget(target, effective, inheritable, permitted);
2029 }
2030 
2031 static int selinux_capset(struct cred *new, const struct cred *old,
2032 			  const kernel_cap_t *effective,
2033 			  const kernel_cap_t *inheritable,
2034 			  const kernel_cap_t *permitted)
2035 {
2036 	int error;
2037 
2038 	error = cap_capset(new, old,
2039 				      effective, inheritable, permitted);
2040 	if (error)
2041 		return error;
2042 
2043 	return cred_has_perm(old, new, PROCESS__SETCAP);
2044 }
2045 
2046 /*
2047  * (This comment used to live with the selinux_task_setuid hook,
2048  * which was removed).
2049  *
2050  * Since setuid only affects the current process, and since the SELinux
2051  * controls are not based on the Linux identity attributes, SELinux does not
2052  * need to control this operation.  However, SELinux does control the use of
2053  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2054  */
2055 
2056 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2057 			   int cap, int audit)
2058 {
2059 	int rc;
2060 
2061 	rc = cap_capable(cred, ns, cap, audit);
2062 	if (rc)
2063 		return rc;
2064 
2065 	return cred_has_capability(cred, cap, audit);
2066 }
2067 
2068 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2069 {
2070 	const struct cred *cred = current_cred();
2071 	int rc = 0;
2072 
2073 	if (!sb)
2074 		return 0;
2075 
2076 	switch (cmds) {
2077 	case Q_SYNC:
2078 	case Q_QUOTAON:
2079 	case Q_QUOTAOFF:
2080 	case Q_SETINFO:
2081 	case Q_SETQUOTA:
2082 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2083 		break;
2084 	case Q_GETFMT:
2085 	case Q_GETINFO:
2086 	case Q_GETQUOTA:
2087 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2088 		break;
2089 	default:
2090 		rc = 0;  /* let the kernel handle invalid cmds */
2091 		break;
2092 	}
2093 	return rc;
2094 }
2095 
2096 static int selinux_quota_on(struct dentry *dentry)
2097 {
2098 	const struct cred *cred = current_cred();
2099 
2100 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2101 }
2102 
2103 static int selinux_syslog(int type)
2104 {
2105 	int rc;
2106 
2107 	switch (type) {
2108 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2109 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2110 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2111 		break;
2112 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2113 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2114 	/* Set level of messages printed to console */
2115 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2116 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2117 		break;
2118 	case SYSLOG_ACTION_CLOSE:	/* Close log */
2119 	case SYSLOG_ACTION_OPEN:	/* Open log */
2120 	case SYSLOG_ACTION_READ:	/* Read from log */
2121 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2122 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2123 	default:
2124 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2125 		break;
2126 	}
2127 	return rc;
2128 }
2129 
2130 /*
2131  * Check that a process has enough memory to allocate a new virtual
2132  * mapping. 0 means there is enough memory for the allocation to
2133  * succeed and -ENOMEM implies there is not.
2134  *
2135  * Do not audit the selinux permission check, as this is applied to all
2136  * processes that allocate mappings.
2137  */
2138 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2139 {
2140 	int rc, cap_sys_admin = 0;
2141 
2142 	rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2143 			     SECURITY_CAP_NOAUDIT);
2144 	if (rc == 0)
2145 		cap_sys_admin = 1;
2146 
2147 	return __vm_enough_memory(mm, pages, cap_sys_admin);
2148 }
2149 
2150 /* binprm security operations */
2151 
2152 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2153 			    const struct task_security_struct *old_tsec,
2154 			    const struct task_security_struct *new_tsec)
2155 {
2156 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2157 	int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2158 	int rc;
2159 
2160 	if (!nnp && !nosuid)
2161 		return 0; /* neither NNP nor nosuid */
2162 
2163 	if (new_tsec->sid == old_tsec->sid)
2164 		return 0; /* No change in credentials */
2165 
2166 	/*
2167 	 * The only transitions we permit under NNP or nosuid
2168 	 * are transitions to bounded SIDs, i.e. SIDs that are
2169 	 * guaranteed to only be allowed a subset of the permissions
2170 	 * of the current SID.
2171 	 */
2172 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2173 	if (rc) {
2174 		/*
2175 		 * On failure, preserve the errno values for NNP vs nosuid.
2176 		 * NNP:  Operation not permitted for caller.
2177 		 * nosuid:  Permission denied to file.
2178 		 */
2179 		if (nnp)
2180 			return -EPERM;
2181 		else
2182 			return -EACCES;
2183 	}
2184 	return 0;
2185 }
2186 
2187 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2188 {
2189 	const struct task_security_struct *old_tsec;
2190 	struct task_security_struct *new_tsec;
2191 	struct inode_security_struct *isec;
2192 	struct common_audit_data ad;
2193 	struct inode *inode = file_inode(bprm->file);
2194 	int rc;
2195 
2196 	rc = cap_bprm_set_creds(bprm);
2197 	if (rc)
2198 		return rc;
2199 
2200 	/* SELinux context only depends on initial program or script and not
2201 	 * the script interpreter */
2202 	if (bprm->cred_prepared)
2203 		return 0;
2204 
2205 	old_tsec = current_security();
2206 	new_tsec = bprm->cred->security;
2207 	isec = inode->i_security;
2208 
2209 	/* Default to the current task SID. */
2210 	new_tsec->sid = old_tsec->sid;
2211 	new_tsec->osid = old_tsec->sid;
2212 
2213 	/* Reset fs, key, and sock SIDs on execve. */
2214 	new_tsec->create_sid = 0;
2215 	new_tsec->keycreate_sid = 0;
2216 	new_tsec->sockcreate_sid = 0;
2217 
2218 	if (old_tsec->exec_sid) {
2219 		new_tsec->sid = old_tsec->exec_sid;
2220 		/* Reset exec SID on execve. */
2221 		new_tsec->exec_sid = 0;
2222 
2223 		/* Fail on NNP or nosuid if not an allowed transition. */
2224 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2225 		if (rc)
2226 			return rc;
2227 	} else {
2228 		/* Check for a default transition on this program. */
2229 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2230 					     SECCLASS_PROCESS, NULL,
2231 					     &new_tsec->sid);
2232 		if (rc)
2233 			return rc;
2234 
2235 		/*
2236 		 * Fallback to old SID on NNP or nosuid if not an allowed
2237 		 * transition.
2238 		 */
2239 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2240 		if (rc)
2241 			new_tsec->sid = old_tsec->sid;
2242 	}
2243 
2244 	ad.type = LSM_AUDIT_DATA_PATH;
2245 	ad.u.path = bprm->file->f_path;
2246 
2247 	if (new_tsec->sid == old_tsec->sid) {
2248 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2249 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2250 		if (rc)
2251 			return rc;
2252 	} else {
2253 		/* Check permissions for the transition. */
2254 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2255 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2256 		if (rc)
2257 			return rc;
2258 
2259 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2260 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2261 		if (rc)
2262 			return rc;
2263 
2264 		/* Check for shared state */
2265 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2266 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2267 					  SECCLASS_PROCESS, PROCESS__SHARE,
2268 					  NULL);
2269 			if (rc)
2270 				return -EPERM;
2271 		}
2272 
2273 		/* Make sure that anyone attempting to ptrace over a task that
2274 		 * changes its SID has the appropriate permit */
2275 		if (bprm->unsafe &
2276 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2277 			struct task_struct *tracer;
2278 			struct task_security_struct *sec;
2279 			u32 ptsid = 0;
2280 
2281 			rcu_read_lock();
2282 			tracer = ptrace_parent(current);
2283 			if (likely(tracer != NULL)) {
2284 				sec = __task_cred(tracer)->security;
2285 				ptsid = sec->sid;
2286 			}
2287 			rcu_read_unlock();
2288 
2289 			if (ptsid != 0) {
2290 				rc = avc_has_perm(ptsid, new_tsec->sid,
2291 						  SECCLASS_PROCESS,
2292 						  PROCESS__PTRACE, NULL);
2293 				if (rc)
2294 					return -EPERM;
2295 			}
2296 		}
2297 
2298 		/* Clear any possibly unsafe personality bits on exec: */
2299 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2300 	}
2301 
2302 	return 0;
2303 }
2304 
2305 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2306 {
2307 	const struct task_security_struct *tsec = current_security();
2308 	u32 sid, osid;
2309 	int atsecure = 0;
2310 
2311 	sid = tsec->sid;
2312 	osid = tsec->osid;
2313 
2314 	if (osid != sid) {
2315 		/* Enable secure mode for SIDs transitions unless
2316 		   the noatsecure permission is granted between
2317 		   the two SIDs, i.e. ahp returns 0. */
2318 		atsecure = avc_has_perm(osid, sid,
2319 					SECCLASS_PROCESS,
2320 					PROCESS__NOATSECURE, NULL);
2321 	}
2322 
2323 	return (atsecure || cap_bprm_secureexec(bprm));
2324 }
2325 
2326 static int match_file(const void *p, struct file *file, unsigned fd)
2327 {
2328 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2329 }
2330 
2331 /* Derived from fs/exec.c:flush_old_files. */
2332 static inline void flush_unauthorized_files(const struct cred *cred,
2333 					    struct files_struct *files)
2334 {
2335 	struct file *file, *devnull = NULL;
2336 	struct tty_struct *tty;
2337 	int drop_tty = 0;
2338 	unsigned n;
2339 
2340 	tty = get_current_tty();
2341 	if (tty) {
2342 		spin_lock(&tty_files_lock);
2343 		if (!list_empty(&tty->tty_files)) {
2344 			struct tty_file_private *file_priv;
2345 
2346 			/* Revalidate access to controlling tty.
2347 			   Use file_path_has_perm on the tty path directly
2348 			   rather than using file_has_perm, as this particular
2349 			   open file may belong to another process and we are
2350 			   only interested in the inode-based check here. */
2351 			file_priv = list_first_entry(&tty->tty_files,
2352 						struct tty_file_private, list);
2353 			file = file_priv->file;
2354 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2355 				drop_tty = 1;
2356 		}
2357 		spin_unlock(&tty_files_lock);
2358 		tty_kref_put(tty);
2359 	}
2360 	/* Reset controlling tty. */
2361 	if (drop_tty)
2362 		no_tty();
2363 
2364 	/* Revalidate access to inherited open files. */
2365 	n = iterate_fd(files, 0, match_file, cred);
2366 	if (!n) /* none found? */
2367 		return;
2368 
2369 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2370 	if (IS_ERR(devnull))
2371 		devnull = NULL;
2372 	/* replace all the matching ones with this */
2373 	do {
2374 		replace_fd(n - 1, devnull, 0);
2375 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2376 	if (devnull)
2377 		fput(devnull);
2378 }
2379 
2380 /*
2381  * Prepare a process for imminent new credential changes due to exec
2382  */
2383 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2384 {
2385 	struct task_security_struct *new_tsec;
2386 	struct rlimit *rlim, *initrlim;
2387 	int rc, i;
2388 
2389 	new_tsec = bprm->cred->security;
2390 	if (new_tsec->sid == new_tsec->osid)
2391 		return;
2392 
2393 	/* Close files for which the new task SID is not authorized. */
2394 	flush_unauthorized_files(bprm->cred, current->files);
2395 
2396 	/* Always clear parent death signal on SID transitions. */
2397 	current->pdeath_signal = 0;
2398 
2399 	/* Check whether the new SID can inherit resource limits from the old
2400 	 * SID.  If not, reset all soft limits to the lower of the current
2401 	 * task's hard limit and the init task's soft limit.
2402 	 *
2403 	 * Note that the setting of hard limits (even to lower them) can be
2404 	 * controlled by the setrlimit check.  The inclusion of the init task's
2405 	 * soft limit into the computation is to avoid resetting soft limits
2406 	 * higher than the default soft limit for cases where the default is
2407 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2408 	 */
2409 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2410 			  PROCESS__RLIMITINH, NULL);
2411 	if (rc) {
2412 		/* protect against do_prlimit() */
2413 		task_lock(current);
2414 		for (i = 0; i < RLIM_NLIMITS; i++) {
2415 			rlim = current->signal->rlim + i;
2416 			initrlim = init_task.signal->rlim + i;
2417 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2418 		}
2419 		task_unlock(current);
2420 		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2421 	}
2422 }
2423 
2424 /*
2425  * Clean up the process immediately after the installation of new credentials
2426  * due to exec
2427  */
2428 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2429 {
2430 	const struct task_security_struct *tsec = current_security();
2431 	struct itimerval itimer;
2432 	u32 osid, sid;
2433 	int rc, i;
2434 
2435 	osid = tsec->osid;
2436 	sid = tsec->sid;
2437 
2438 	if (sid == osid)
2439 		return;
2440 
2441 	/* Check whether the new SID can inherit signal state from the old SID.
2442 	 * If not, clear itimers to avoid subsequent signal generation and
2443 	 * flush and unblock signals.
2444 	 *
2445 	 * This must occur _after_ the task SID has been updated so that any
2446 	 * kill done after the flush will be checked against the new SID.
2447 	 */
2448 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2449 	if (rc) {
2450 		memset(&itimer, 0, sizeof itimer);
2451 		for (i = 0; i < 3; i++)
2452 			do_setitimer(i, &itimer, NULL);
2453 		spin_lock_irq(&current->sighand->siglock);
2454 		if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2455 			__flush_signals(current);
2456 			flush_signal_handlers(current, 1);
2457 			sigemptyset(&current->blocked);
2458 		}
2459 		spin_unlock_irq(&current->sighand->siglock);
2460 	}
2461 
2462 	/* Wake up the parent if it is waiting so that it can recheck
2463 	 * wait permission to the new task SID. */
2464 	read_lock(&tasklist_lock);
2465 	__wake_up_parent(current, current->real_parent);
2466 	read_unlock(&tasklist_lock);
2467 }
2468 
2469 /* superblock security operations */
2470 
2471 static int selinux_sb_alloc_security(struct super_block *sb)
2472 {
2473 	return superblock_alloc_security(sb);
2474 }
2475 
2476 static void selinux_sb_free_security(struct super_block *sb)
2477 {
2478 	superblock_free_security(sb);
2479 }
2480 
2481 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2482 {
2483 	if (plen > olen)
2484 		return 0;
2485 
2486 	return !memcmp(prefix, option, plen);
2487 }
2488 
2489 static inline int selinux_option(char *option, int len)
2490 {
2491 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2492 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2493 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2494 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2495 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2496 }
2497 
2498 static inline void take_option(char **to, char *from, int *first, int len)
2499 {
2500 	if (!*first) {
2501 		**to = ',';
2502 		*to += 1;
2503 	} else
2504 		*first = 0;
2505 	memcpy(*to, from, len);
2506 	*to += len;
2507 }
2508 
2509 static inline void take_selinux_option(char **to, char *from, int *first,
2510 				       int len)
2511 {
2512 	int current_size = 0;
2513 
2514 	if (!*first) {
2515 		**to = '|';
2516 		*to += 1;
2517 	} else
2518 		*first = 0;
2519 
2520 	while (current_size < len) {
2521 		if (*from != '"') {
2522 			**to = *from;
2523 			*to += 1;
2524 		}
2525 		from += 1;
2526 		current_size += 1;
2527 	}
2528 }
2529 
2530 static int selinux_sb_copy_data(char *orig, char *copy)
2531 {
2532 	int fnosec, fsec, rc = 0;
2533 	char *in_save, *in_curr, *in_end;
2534 	char *sec_curr, *nosec_save, *nosec;
2535 	int open_quote = 0;
2536 
2537 	in_curr = orig;
2538 	sec_curr = copy;
2539 
2540 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2541 	if (!nosec) {
2542 		rc = -ENOMEM;
2543 		goto out;
2544 	}
2545 
2546 	nosec_save = nosec;
2547 	fnosec = fsec = 1;
2548 	in_save = in_end = orig;
2549 
2550 	do {
2551 		if (*in_end == '"')
2552 			open_quote = !open_quote;
2553 		if ((*in_end == ',' && open_quote == 0) ||
2554 				*in_end == '\0') {
2555 			int len = in_end - in_curr;
2556 
2557 			if (selinux_option(in_curr, len))
2558 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2559 			else
2560 				take_option(&nosec, in_curr, &fnosec, len);
2561 
2562 			in_curr = in_end + 1;
2563 		}
2564 	} while (*in_end++);
2565 
2566 	strcpy(in_save, nosec_save);
2567 	free_page((unsigned long)nosec_save);
2568 out:
2569 	return rc;
2570 }
2571 
2572 static int selinux_sb_remount(struct super_block *sb, void *data)
2573 {
2574 	int rc, i, *flags;
2575 	struct security_mnt_opts opts;
2576 	char *secdata, **mount_options;
2577 	struct superblock_security_struct *sbsec = sb->s_security;
2578 
2579 	if (!(sbsec->flags & SE_SBINITIALIZED))
2580 		return 0;
2581 
2582 	if (!data)
2583 		return 0;
2584 
2585 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2586 		return 0;
2587 
2588 	security_init_mnt_opts(&opts);
2589 	secdata = alloc_secdata();
2590 	if (!secdata)
2591 		return -ENOMEM;
2592 	rc = selinux_sb_copy_data(data, secdata);
2593 	if (rc)
2594 		goto out_free_secdata;
2595 
2596 	rc = selinux_parse_opts_str(secdata, &opts);
2597 	if (rc)
2598 		goto out_free_secdata;
2599 
2600 	mount_options = opts.mnt_opts;
2601 	flags = opts.mnt_opts_flags;
2602 
2603 	for (i = 0; i < opts.num_mnt_opts; i++) {
2604 		u32 sid;
2605 		size_t len;
2606 
2607 		if (flags[i] == SBLABEL_MNT)
2608 			continue;
2609 		len = strlen(mount_options[i]);
2610 		rc = security_context_to_sid(mount_options[i], len, &sid,
2611 					     GFP_KERNEL);
2612 		if (rc) {
2613 			printk(KERN_WARNING "SELinux: security_context_to_sid"
2614 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2615 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2616 			goto out_free_opts;
2617 		}
2618 		rc = -EINVAL;
2619 		switch (flags[i]) {
2620 		case FSCONTEXT_MNT:
2621 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2622 				goto out_bad_option;
2623 			break;
2624 		case CONTEXT_MNT:
2625 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2626 				goto out_bad_option;
2627 			break;
2628 		case ROOTCONTEXT_MNT: {
2629 			struct inode_security_struct *root_isec;
2630 			root_isec = d_backing_inode(sb->s_root)->i_security;
2631 
2632 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2633 				goto out_bad_option;
2634 			break;
2635 		}
2636 		case DEFCONTEXT_MNT:
2637 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2638 				goto out_bad_option;
2639 			break;
2640 		default:
2641 			goto out_free_opts;
2642 		}
2643 	}
2644 
2645 	rc = 0;
2646 out_free_opts:
2647 	security_free_mnt_opts(&opts);
2648 out_free_secdata:
2649 	free_secdata(secdata);
2650 	return rc;
2651 out_bad_option:
2652 	printk(KERN_WARNING "SELinux: unable to change security options "
2653 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2654 	       sb->s_type->name);
2655 	goto out_free_opts;
2656 }
2657 
2658 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2659 {
2660 	const struct cred *cred = current_cred();
2661 	struct common_audit_data ad;
2662 	int rc;
2663 
2664 	rc = superblock_doinit(sb, data);
2665 	if (rc)
2666 		return rc;
2667 
2668 	/* Allow all mounts performed by the kernel */
2669 	if (flags & MS_KERNMOUNT)
2670 		return 0;
2671 
2672 	ad.type = LSM_AUDIT_DATA_DENTRY;
2673 	ad.u.dentry = sb->s_root;
2674 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2675 }
2676 
2677 static int selinux_sb_statfs(struct dentry *dentry)
2678 {
2679 	const struct cred *cred = current_cred();
2680 	struct common_audit_data ad;
2681 
2682 	ad.type = LSM_AUDIT_DATA_DENTRY;
2683 	ad.u.dentry = dentry->d_sb->s_root;
2684 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2685 }
2686 
2687 static int selinux_mount(const char *dev_name,
2688 			 struct path *path,
2689 			 const char *type,
2690 			 unsigned long flags,
2691 			 void *data)
2692 {
2693 	const struct cred *cred = current_cred();
2694 
2695 	if (flags & MS_REMOUNT)
2696 		return superblock_has_perm(cred, path->dentry->d_sb,
2697 					   FILESYSTEM__REMOUNT, NULL);
2698 	else
2699 		return path_has_perm(cred, path, FILE__MOUNTON);
2700 }
2701 
2702 static int selinux_umount(struct vfsmount *mnt, int flags)
2703 {
2704 	const struct cred *cred = current_cred();
2705 
2706 	return superblock_has_perm(cred, mnt->mnt_sb,
2707 				   FILESYSTEM__UNMOUNT, NULL);
2708 }
2709 
2710 /* inode security operations */
2711 
2712 static int selinux_inode_alloc_security(struct inode *inode)
2713 {
2714 	return inode_alloc_security(inode);
2715 }
2716 
2717 static void selinux_inode_free_security(struct inode *inode)
2718 {
2719 	inode_free_security(inode);
2720 }
2721 
2722 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2723 					struct qstr *name, void **ctx,
2724 					u32 *ctxlen)
2725 {
2726 	const struct cred *cred = current_cred();
2727 	struct task_security_struct *tsec;
2728 	struct inode_security_struct *dsec;
2729 	struct superblock_security_struct *sbsec;
2730 	struct inode *dir = d_backing_inode(dentry->d_parent);
2731 	u32 newsid;
2732 	int rc;
2733 
2734 	tsec = cred->security;
2735 	dsec = dir->i_security;
2736 	sbsec = dir->i_sb->s_security;
2737 
2738 	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2739 		newsid = tsec->create_sid;
2740 	} else {
2741 		rc = security_transition_sid(tsec->sid, dsec->sid,
2742 					     inode_mode_to_security_class(mode),
2743 					     name,
2744 					     &newsid);
2745 		if (rc) {
2746 			printk(KERN_WARNING
2747 				"%s: security_transition_sid failed, rc=%d\n",
2748 			       __func__, -rc);
2749 			return rc;
2750 		}
2751 	}
2752 
2753 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2754 }
2755 
2756 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2757 				       const struct qstr *qstr,
2758 				       const char **name,
2759 				       void **value, size_t *len)
2760 {
2761 	const struct task_security_struct *tsec = current_security();
2762 	struct inode_security_struct *dsec;
2763 	struct superblock_security_struct *sbsec;
2764 	u32 sid, newsid, clen;
2765 	int rc;
2766 	char *context;
2767 
2768 	dsec = dir->i_security;
2769 	sbsec = dir->i_sb->s_security;
2770 
2771 	sid = tsec->sid;
2772 	newsid = tsec->create_sid;
2773 
2774 	if ((sbsec->flags & SE_SBINITIALIZED) &&
2775 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2776 		newsid = sbsec->mntpoint_sid;
2777 	else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2778 		rc = security_transition_sid(sid, dsec->sid,
2779 					     inode_mode_to_security_class(inode->i_mode),
2780 					     qstr, &newsid);
2781 		if (rc) {
2782 			printk(KERN_WARNING "%s:  "
2783 			       "security_transition_sid failed, rc=%d (dev=%s "
2784 			       "ino=%ld)\n",
2785 			       __func__,
2786 			       -rc, inode->i_sb->s_id, inode->i_ino);
2787 			return rc;
2788 		}
2789 	}
2790 
2791 	/* Possibly defer initialization to selinux_complete_init. */
2792 	if (sbsec->flags & SE_SBINITIALIZED) {
2793 		struct inode_security_struct *isec = inode->i_security;
2794 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2795 		isec->sid = newsid;
2796 		isec->initialized = 1;
2797 	}
2798 
2799 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2800 		return -EOPNOTSUPP;
2801 
2802 	if (name)
2803 		*name = XATTR_SELINUX_SUFFIX;
2804 
2805 	if (value && len) {
2806 		rc = security_sid_to_context_force(newsid, &context, &clen);
2807 		if (rc)
2808 			return rc;
2809 		*value = context;
2810 		*len = clen;
2811 	}
2812 
2813 	return 0;
2814 }
2815 
2816 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2817 {
2818 	return may_create(dir, dentry, SECCLASS_FILE);
2819 }
2820 
2821 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2822 {
2823 	return may_link(dir, old_dentry, MAY_LINK);
2824 }
2825 
2826 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2827 {
2828 	return may_link(dir, dentry, MAY_UNLINK);
2829 }
2830 
2831 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2832 {
2833 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2834 }
2835 
2836 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2837 {
2838 	return may_create(dir, dentry, SECCLASS_DIR);
2839 }
2840 
2841 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2842 {
2843 	return may_link(dir, dentry, MAY_RMDIR);
2844 }
2845 
2846 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2847 {
2848 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2849 }
2850 
2851 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2852 				struct inode *new_inode, struct dentry *new_dentry)
2853 {
2854 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2855 }
2856 
2857 static int selinux_inode_readlink(struct dentry *dentry)
2858 {
2859 	const struct cred *cred = current_cred();
2860 
2861 	return dentry_has_perm(cred, dentry, FILE__READ);
2862 }
2863 
2864 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2865 {
2866 	const struct cred *cred = current_cred();
2867 
2868 	return dentry_has_perm(cred, dentry, FILE__READ);
2869 }
2870 
2871 static noinline int audit_inode_permission(struct inode *inode,
2872 					   u32 perms, u32 audited, u32 denied,
2873 					   int result,
2874 					   unsigned flags)
2875 {
2876 	struct common_audit_data ad;
2877 	struct inode_security_struct *isec = inode->i_security;
2878 	int rc;
2879 
2880 	ad.type = LSM_AUDIT_DATA_INODE;
2881 	ad.u.inode = inode;
2882 
2883 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2884 			    audited, denied, result, &ad, flags);
2885 	if (rc)
2886 		return rc;
2887 	return 0;
2888 }
2889 
2890 static int selinux_inode_permission(struct inode *inode, int mask)
2891 {
2892 	const struct cred *cred = current_cred();
2893 	u32 perms;
2894 	bool from_access;
2895 	unsigned flags = mask & MAY_NOT_BLOCK;
2896 	struct inode_security_struct *isec;
2897 	u32 sid;
2898 	struct av_decision avd;
2899 	int rc, rc2;
2900 	u32 audited, denied;
2901 
2902 	from_access = mask & MAY_ACCESS;
2903 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2904 
2905 	/* No permission to check.  Existence test. */
2906 	if (!mask)
2907 		return 0;
2908 
2909 	validate_creds(cred);
2910 
2911 	if (unlikely(IS_PRIVATE(inode)))
2912 		return 0;
2913 
2914 	perms = file_mask_to_av(inode->i_mode, mask);
2915 
2916 	sid = cred_sid(cred);
2917 	isec = inode->i_security;
2918 
2919 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2920 	audited = avc_audit_required(perms, &avd, rc,
2921 				     from_access ? FILE__AUDIT_ACCESS : 0,
2922 				     &denied);
2923 	if (likely(!audited))
2924 		return rc;
2925 
2926 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2927 	if (rc2)
2928 		return rc2;
2929 	return rc;
2930 }
2931 
2932 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2933 {
2934 	const struct cred *cred = current_cred();
2935 	unsigned int ia_valid = iattr->ia_valid;
2936 	__u32 av = FILE__WRITE;
2937 
2938 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2939 	if (ia_valid & ATTR_FORCE) {
2940 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2941 			      ATTR_FORCE);
2942 		if (!ia_valid)
2943 			return 0;
2944 	}
2945 
2946 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2947 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2948 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
2949 
2950 	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2951 		av |= FILE__OPEN;
2952 
2953 	return dentry_has_perm(cred, dentry, av);
2954 }
2955 
2956 static int selinux_inode_getattr(const struct path *path)
2957 {
2958 	return path_has_perm(current_cred(), path, FILE__GETATTR);
2959 }
2960 
2961 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2962 {
2963 	const struct cred *cred = current_cred();
2964 
2965 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
2966 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
2967 		if (!strcmp(name, XATTR_NAME_CAPS)) {
2968 			if (!capable(CAP_SETFCAP))
2969 				return -EPERM;
2970 		} else if (!capable(CAP_SYS_ADMIN)) {
2971 			/* A different attribute in the security namespace.
2972 			   Restrict to administrator. */
2973 			return -EPERM;
2974 		}
2975 	}
2976 
2977 	/* Not an attribute we recognize, so just check the
2978 	   ordinary setattr permission. */
2979 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
2980 }
2981 
2982 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2983 				  const void *value, size_t size, int flags)
2984 {
2985 	struct inode *inode = d_backing_inode(dentry);
2986 	struct inode_security_struct *isec = inode->i_security;
2987 	struct superblock_security_struct *sbsec;
2988 	struct common_audit_data ad;
2989 	u32 newsid, sid = current_sid();
2990 	int rc = 0;
2991 
2992 	if (strcmp(name, XATTR_NAME_SELINUX))
2993 		return selinux_inode_setotherxattr(dentry, name);
2994 
2995 	sbsec = inode->i_sb->s_security;
2996 	if (!(sbsec->flags & SBLABEL_MNT))
2997 		return -EOPNOTSUPP;
2998 
2999 	if (!inode_owner_or_capable(inode))
3000 		return -EPERM;
3001 
3002 	ad.type = LSM_AUDIT_DATA_DENTRY;
3003 	ad.u.dentry = dentry;
3004 
3005 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3006 			  FILE__RELABELFROM, &ad);
3007 	if (rc)
3008 		return rc;
3009 
3010 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3011 	if (rc == -EINVAL) {
3012 		if (!capable(CAP_MAC_ADMIN)) {
3013 			struct audit_buffer *ab;
3014 			size_t audit_size;
3015 			const char *str;
3016 
3017 			/* We strip a nul only if it is at the end, otherwise the
3018 			 * context contains a nul and we should audit that */
3019 			if (value) {
3020 				str = value;
3021 				if (str[size - 1] == '\0')
3022 					audit_size = size - 1;
3023 				else
3024 					audit_size = size;
3025 			} else {
3026 				str = "";
3027 				audit_size = 0;
3028 			}
3029 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3030 			audit_log_format(ab, "op=setxattr invalid_context=");
3031 			audit_log_n_untrustedstring(ab, value, audit_size);
3032 			audit_log_end(ab);
3033 
3034 			return rc;
3035 		}
3036 		rc = security_context_to_sid_force(value, size, &newsid);
3037 	}
3038 	if (rc)
3039 		return rc;
3040 
3041 	rc = avc_has_perm(sid, newsid, isec->sclass,
3042 			  FILE__RELABELTO, &ad);
3043 	if (rc)
3044 		return rc;
3045 
3046 	rc = security_validate_transition(isec->sid, newsid, sid,
3047 					  isec->sclass);
3048 	if (rc)
3049 		return rc;
3050 
3051 	return avc_has_perm(newsid,
3052 			    sbsec->sid,
3053 			    SECCLASS_FILESYSTEM,
3054 			    FILESYSTEM__ASSOCIATE,
3055 			    &ad);
3056 }
3057 
3058 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3059 					const void *value, size_t size,
3060 					int flags)
3061 {
3062 	struct inode *inode = d_backing_inode(dentry);
3063 	struct inode_security_struct *isec = inode->i_security;
3064 	u32 newsid;
3065 	int rc;
3066 
3067 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3068 		/* Not an attribute we recognize, so nothing to do. */
3069 		return;
3070 	}
3071 
3072 	rc = security_context_to_sid_force(value, size, &newsid);
3073 	if (rc) {
3074 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3075 		       "for (%s, %lu), rc=%d\n",
3076 		       inode->i_sb->s_id, inode->i_ino, -rc);
3077 		return;
3078 	}
3079 
3080 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3081 	isec->sid = newsid;
3082 	isec->initialized = 1;
3083 
3084 	return;
3085 }
3086 
3087 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3088 {
3089 	const struct cred *cred = current_cred();
3090 
3091 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3092 }
3093 
3094 static int selinux_inode_listxattr(struct dentry *dentry)
3095 {
3096 	const struct cred *cred = current_cred();
3097 
3098 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3099 }
3100 
3101 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3102 {
3103 	if (strcmp(name, XATTR_NAME_SELINUX))
3104 		return selinux_inode_setotherxattr(dentry, name);
3105 
3106 	/* No one is allowed to remove a SELinux security label.
3107 	   You can change the label, but all data must be labeled. */
3108 	return -EACCES;
3109 }
3110 
3111 /*
3112  * Copy the inode security context value to the user.
3113  *
3114  * Permission check is handled by selinux_inode_getxattr hook.
3115  */
3116 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3117 {
3118 	u32 size;
3119 	int error;
3120 	char *context = NULL;
3121 	struct inode_security_struct *isec = inode->i_security;
3122 
3123 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3124 		return -EOPNOTSUPP;
3125 
3126 	/*
3127 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3128 	 * value even if it is not defined by current policy; otherwise,
3129 	 * use the in-core value under current policy.
3130 	 * Use the non-auditing forms of the permission checks since
3131 	 * getxattr may be called by unprivileged processes commonly
3132 	 * and lack of permission just means that we fall back to the
3133 	 * in-core context value, not a denial.
3134 	 */
3135 	error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3136 				SECURITY_CAP_NOAUDIT);
3137 	if (!error)
3138 		error = security_sid_to_context_force(isec->sid, &context,
3139 						      &size);
3140 	else
3141 		error = security_sid_to_context(isec->sid, &context, &size);
3142 	if (error)
3143 		return error;
3144 	error = size;
3145 	if (alloc) {
3146 		*buffer = context;
3147 		goto out_nofree;
3148 	}
3149 	kfree(context);
3150 out_nofree:
3151 	return error;
3152 }
3153 
3154 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3155 				     const void *value, size_t size, int flags)
3156 {
3157 	struct inode_security_struct *isec = inode->i_security;
3158 	u32 newsid;
3159 	int rc;
3160 
3161 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3162 		return -EOPNOTSUPP;
3163 
3164 	if (!value || !size)
3165 		return -EACCES;
3166 
3167 	rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3168 	if (rc)
3169 		return rc;
3170 
3171 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3172 	isec->sid = newsid;
3173 	isec->initialized = 1;
3174 	return 0;
3175 }
3176 
3177 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3178 {
3179 	const int len = sizeof(XATTR_NAME_SELINUX);
3180 	if (buffer && len <= buffer_size)
3181 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3182 	return len;
3183 }
3184 
3185 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3186 {
3187 	struct inode_security_struct *isec = inode->i_security;
3188 	*secid = isec->sid;
3189 }
3190 
3191 /* file security operations */
3192 
3193 static int selinux_revalidate_file_permission(struct file *file, int mask)
3194 {
3195 	const struct cred *cred = current_cred();
3196 	struct inode *inode = file_inode(file);
3197 
3198 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3199 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3200 		mask |= MAY_APPEND;
3201 
3202 	return file_has_perm(cred, file,
3203 			     file_mask_to_av(inode->i_mode, mask));
3204 }
3205 
3206 static int selinux_file_permission(struct file *file, int mask)
3207 {
3208 	struct inode *inode = file_inode(file);
3209 	struct file_security_struct *fsec = file->f_security;
3210 	struct inode_security_struct *isec = inode->i_security;
3211 	u32 sid = current_sid();
3212 
3213 	if (!mask)
3214 		/* No permission to check.  Existence test. */
3215 		return 0;
3216 
3217 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3218 	    fsec->pseqno == avc_policy_seqno())
3219 		/* No change since file_open check. */
3220 		return 0;
3221 
3222 	return selinux_revalidate_file_permission(file, mask);
3223 }
3224 
3225 static int selinux_file_alloc_security(struct file *file)
3226 {
3227 	return file_alloc_security(file);
3228 }
3229 
3230 static void selinux_file_free_security(struct file *file)
3231 {
3232 	file_free_security(file);
3233 }
3234 
3235 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3236 			      unsigned long arg)
3237 {
3238 	const struct cred *cred = current_cred();
3239 	int error = 0;
3240 
3241 	switch (cmd) {
3242 	case FIONREAD:
3243 	/* fall through */
3244 	case FIBMAP:
3245 	/* fall through */
3246 	case FIGETBSZ:
3247 	/* fall through */
3248 	case FS_IOC_GETFLAGS:
3249 	/* fall through */
3250 	case FS_IOC_GETVERSION:
3251 		error = file_has_perm(cred, file, FILE__GETATTR);
3252 		break;
3253 
3254 	case FS_IOC_SETFLAGS:
3255 	/* fall through */
3256 	case FS_IOC_SETVERSION:
3257 		error = file_has_perm(cred, file, FILE__SETATTR);
3258 		break;
3259 
3260 	/* sys_ioctl() checks */
3261 	case FIONBIO:
3262 	/* fall through */
3263 	case FIOASYNC:
3264 		error = file_has_perm(cred, file, 0);
3265 		break;
3266 
3267 	case KDSKBENT:
3268 	case KDSKBSENT:
3269 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3270 					    SECURITY_CAP_AUDIT);
3271 		break;
3272 
3273 	/* default case assumes that the command will go
3274 	 * to the file's ioctl() function.
3275 	 */
3276 	default:
3277 		error = file_has_perm(cred, file, FILE__IOCTL);
3278 	}
3279 	return error;
3280 }
3281 
3282 static int default_noexec;
3283 
3284 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3285 {
3286 	const struct cred *cred = current_cred();
3287 	int rc = 0;
3288 
3289 	if (default_noexec &&
3290 	    (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3291 		/*
3292 		 * We are making executable an anonymous mapping or a
3293 		 * private file mapping that will also be writable.
3294 		 * This has an additional check.
3295 		 */
3296 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3297 		if (rc)
3298 			goto error;
3299 	}
3300 
3301 	if (file) {
3302 		/* read access is always possible with a mapping */
3303 		u32 av = FILE__READ;
3304 
3305 		/* write access only matters if the mapping is shared */
3306 		if (shared && (prot & PROT_WRITE))
3307 			av |= FILE__WRITE;
3308 
3309 		if (prot & PROT_EXEC)
3310 			av |= FILE__EXECUTE;
3311 
3312 		return file_has_perm(cred, file, av);
3313 	}
3314 
3315 error:
3316 	return rc;
3317 }
3318 
3319 static int selinux_mmap_addr(unsigned long addr)
3320 {
3321 	int rc;
3322 
3323 	/* do DAC check on address space usage */
3324 	rc = cap_mmap_addr(addr);
3325 	if (rc)
3326 		return rc;
3327 
3328 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3329 		u32 sid = current_sid();
3330 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3331 				  MEMPROTECT__MMAP_ZERO, NULL);
3332 	}
3333 
3334 	return rc;
3335 }
3336 
3337 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3338 			     unsigned long prot, unsigned long flags)
3339 {
3340 	if (selinux_checkreqprot)
3341 		prot = reqprot;
3342 
3343 	return file_map_prot_check(file, prot,
3344 				   (flags & MAP_TYPE) == MAP_SHARED);
3345 }
3346 
3347 static int selinux_file_mprotect(struct vm_area_struct *vma,
3348 				 unsigned long reqprot,
3349 				 unsigned long prot)
3350 {
3351 	const struct cred *cred = current_cred();
3352 
3353 	if (selinux_checkreqprot)
3354 		prot = reqprot;
3355 
3356 	if (default_noexec &&
3357 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3358 		int rc = 0;
3359 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3360 		    vma->vm_end <= vma->vm_mm->brk) {
3361 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3362 		} else if (!vma->vm_file &&
3363 			   vma->vm_start <= vma->vm_mm->start_stack &&
3364 			   vma->vm_end >= vma->vm_mm->start_stack) {
3365 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3366 		} else if (vma->vm_file && vma->anon_vma) {
3367 			/*
3368 			 * We are making executable a file mapping that has
3369 			 * had some COW done. Since pages might have been
3370 			 * written, check ability to execute the possibly
3371 			 * modified content.  This typically should only
3372 			 * occur for text relocations.
3373 			 */
3374 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3375 		}
3376 		if (rc)
3377 			return rc;
3378 	}
3379 
3380 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3381 }
3382 
3383 static int selinux_file_lock(struct file *file, unsigned int cmd)
3384 {
3385 	const struct cred *cred = current_cred();
3386 
3387 	return file_has_perm(cred, file, FILE__LOCK);
3388 }
3389 
3390 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3391 			      unsigned long arg)
3392 {
3393 	const struct cred *cred = current_cred();
3394 	int err = 0;
3395 
3396 	switch (cmd) {
3397 	case F_SETFL:
3398 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3399 			err = file_has_perm(cred, file, FILE__WRITE);
3400 			break;
3401 		}
3402 		/* fall through */
3403 	case F_SETOWN:
3404 	case F_SETSIG:
3405 	case F_GETFL:
3406 	case F_GETOWN:
3407 	case F_GETSIG:
3408 	case F_GETOWNER_UIDS:
3409 		/* Just check FD__USE permission */
3410 		err = file_has_perm(cred, file, 0);
3411 		break;
3412 	case F_GETLK:
3413 	case F_SETLK:
3414 	case F_SETLKW:
3415 	case F_OFD_GETLK:
3416 	case F_OFD_SETLK:
3417 	case F_OFD_SETLKW:
3418 #if BITS_PER_LONG == 32
3419 	case F_GETLK64:
3420 	case F_SETLK64:
3421 	case F_SETLKW64:
3422 #endif
3423 		err = file_has_perm(cred, file, FILE__LOCK);
3424 		break;
3425 	}
3426 
3427 	return err;
3428 }
3429 
3430 static void selinux_file_set_fowner(struct file *file)
3431 {
3432 	struct file_security_struct *fsec;
3433 
3434 	fsec = file->f_security;
3435 	fsec->fown_sid = current_sid();
3436 }
3437 
3438 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3439 				       struct fown_struct *fown, int signum)
3440 {
3441 	struct file *file;
3442 	u32 sid = task_sid(tsk);
3443 	u32 perm;
3444 	struct file_security_struct *fsec;
3445 
3446 	/* struct fown_struct is never outside the context of a struct file */
3447 	file = container_of(fown, struct file, f_owner);
3448 
3449 	fsec = file->f_security;
3450 
3451 	if (!signum)
3452 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3453 	else
3454 		perm = signal_to_av(signum);
3455 
3456 	return avc_has_perm(fsec->fown_sid, sid,
3457 			    SECCLASS_PROCESS, perm, NULL);
3458 }
3459 
3460 static int selinux_file_receive(struct file *file)
3461 {
3462 	const struct cred *cred = current_cred();
3463 
3464 	return file_has_perm(cred, file, file_to_av(file));
3465 }
3466 
3467 static int selinux_file_open(struct file *file, const struct cred *cred)
3468 {
3469 	struct file_security_struct *fsec;
3470 	struct inode_security_struct *isec;
3471 
3472 	fsec = file->f_security;
3473 	isec = file_inode(file)->i_security;
3474 	/*
3475 	 * Save inode label and policy sequence number
3476 	 * at open-time so that selinux_file_permission
3477 	 * can determine whether revalidation is necessary.
3478 	 * Task label is already saved in the file security
3479 	 * struct as its SID.
3480 	 */
3481 	fsec->isid = isec->sid;
3482 	fsec->pseqno = avc_policy_seqno();
3483 	/*
3484 	 * Since the inode label or policy seqno may have changed
3485 	 * between the selinux_inode_permission check and the saving
3486 	 * of state above, recheck that access is still permitted.
3487 	 * Otherwise, access might never be revalidated against the
3488 	 * new inode label or new policy.
3489 	 * This check is not redundant - do not remove.
3490 	 */
3491 	return file_path_has_perm(cred, file, open_file_to_av(file));
3492 }
3493 
3494 /* task security operations */
3495 
3496 static int selinux_task_create(unsigned long clone_flags)
3497 {
3498 	return current_has_perm(current, PROCESS__FORK);
3499 }
3500 
3501 /*
3502  * allocate the SELinux part of blank credentials
3503  */
3504 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3505 {
3506 	struct task_security_struct *tsec;
3507 
3508 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3509 	if (!tsec)
3510 		return -ENOMEM;
3511 
3512 	cred->security = tsec;
3513 	return 0;
3514 }
3515 
3516 /*
3517  * detach and free the LSM part of a set of credentials
3518  */
3519 static void selinux_cred_free(struct cred *cred)
3520 {
3521 	struct task_security_struct *tsec = cred->security;
3522 
3523 	/*
3524 	 * cred->security == NULL if security_cred_alloc_blank() or
3525 	 * security_prepare_creds() returned an error.
3526 	 */
3527 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3528 	cred->security = (void *) 0x7UL;
3529 	kfree(tsec);
3530 }
3531 
3532 /*
3533  * prepare a new set of credentials for modification
3534  */
3535 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3536 				gfp_t gfp)
3537 {
3538 	const struct task_security_struct *old_tsec;
3539 	struct task_security_struct *tsec;
3540 
3541 	old_tsec = old->security;
3542 
3543 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3544 	if (!tsec)
3545 		return -ENOMEM;
3546 
3547 	new->security = tsec;
3548 	return 0;
3549 }
3550 
3551 /*
3552  * transfer the SELinux data to a blank set of creds
3553  */
3554 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3555 {
3556 	const struct task_security_struct *old_tsec = old->security;
3557 	struct task_security_struct *tsec = new->security;
3558 
3559 	*tsec = *old_tsec;
3560 }
3561 
3562 /*
3563  * set the security data for a kernel service
3564  * - all the creation contexts are set to unlabelled
3565  */
3566 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3567 {
3568 	struct task_security_struct *tsec = new->security;
3569 	u32 sid = current_sid();
3570 	int ret;
3571 
3572 	ret = avc_has_perm(sid, secid,
3573 			   SECCLASS_KERNEL_SERVICE,
3574 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3575 			   NULL);
3576 	if (ret == 0) {
3577 		tsec->sid = secid;
3578 		tsec->create_sid = 0;
3579 		tsec->keycreate_sid = 0;
3580 		tsec->sockcreate_sid = 0;
3581 	}
3582 	return ret;
3583 }
3584 
3585 /*
3586  * set the file creation context in a security record to the same as the
3587  * objective context of the specified inode
3588  */
3589 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3590 {
3591 	struct inode_security_struct *isec = inode->i_security;
3592 	struct task_security_struct *tsec = new->security;
3593 	u32 sid = current_sid();
3594 	int ret;
3595 
3596 	ret = avc_has_perm(sid, isec->sid,
3597 			   SECCLASS_KERNEL_SERVICE,
3598 			   KERNEL_SERVICE__CREATE_FILES_AS,
3599 			   NULL);
3600 
3601 	if (ret == 0)
3602 		tsec->create_sid = isec->sid;
3603 	return ret;
3604 }
3605 
3606 static int selinux_kernel_module_request(char *kmod_name)
3607 {
3608 	u32 sid;
3609 	struct common_audit_data ad;
3610 
3611 	sid = task_sid(current);
3612 
3613 	ad.type = LSM_AUDIT_DATA_KMOD;
3614 	ad.u.kmod_name = kmod_name;
3615 
3616 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3617 			    SYSTEM__MODULE_REQUEST, &ad);
3618 }
3619 
3620 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3621 {
3622 	return current_has_perm(p, PROCESS__SETPGID);
3623 }
3624 
3625 static int selinux_task_getpgid(struct task_struct *p)
3626 {
3627 	return current_has_perm(p, PROCESS__GETPGID);
3628 }
3629 
3630 static int selinux_task_getsid(struct task_struct *p)
3631 {
3632 	return current_has_perm(p, PROCESS__GETSESSION);
3633 }
3634 
3635 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3636 {
3637 	*secid = task_sid(p);
3638 }
3639 
3640 static int selinux_task_setnice(struct task_struct *p, int nice)
3641 {
3642 	int rc;
3643 
3644 	rc = cap_task_setnice(p, nice);
3645 	if (rc)
3646 		return rc;
3647 
3648 	return current_has_perm(p, PROCESS__SETSCHED);
3649 }
3650 
3651 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3652 {
3653 	int rc;
3654 
3655 	rc = cap_task_setioprio(p, ioprio);
3656 	if (rc)
3657 		return rc;
3658 
3659 	return current_has_perm(p, PROCESS__SETSCHED);
3660 }
3661 
3662 static int selinux_task_getioprio(struct task_struct *p)
3663 {
3664 	return current_has_perm(p, PROCESS__GETSCHED);
3665 }
3666 
3667 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3668 		struct rlimit *new_rlim)
3669 {
3670 	struct rlimit *old_rlim = p->signal->rlim + resource;
3671 
3672 	/* Control the ability to change the hard limit (whether
3673 	   lowering or raising it), so that the hard limit can
3674 	   later be used as a safe reset point for the soft limit
3675 	   upon context transitions.  See selinux_bprm_committing_creds. */
3676 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3677 		return current_has_perm(p, PROCESS__SETRLIMIT);
3678 
3679 	return 0;
3680 }
3681 
3682 static int selinux_task_setscheduler(struct task_struct *p)
3683 {
3684 	int rc;
3685 
3686 	rc = cap_task_setscheduler(p);
3687 	if (rc)
3688 		return rc;
3689 
3690 	return current_has_perm(p, PROCESS__SETSCHED);
3691 }
3692 
3693 static int selinux_task_getscheduler(struct task_struct *p)
3694 {
3695 	return current_has_perm(p, PROCESS__GETSCHED);
3696 }
3697 
3698 static int selinux_task_movememory(struct task_struct *p)
3699 {
3700 	return current_has_perm(p, PROCESS__SETSCHED);
3701 }
3702 
3703 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3704 				int sig, u32 secid)
3705 {
3706 	u32 perm;
3707 	int rc;
3708 
3709 	if (!sig)
3710 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3711 	else
3712 		perm = signal_to_av(sig);
3713 	if (secid)
3714 		rc = avc_has_perm(secid, task_sid(p),
3715 				  SECCLASS_PROCESS, perm, NULL);
3716 	else
3717 		rc = current_has_perm(p, perm);
3718 	return rc;
3719 }
3720 
3721 static int selinux_task_wait(struct task_struct *p)
3722 {
3723 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3724 }
3725 
3726 static void selinux_task_to_inode(struct task_struct *p,
3727 				  struct inode *inode)
3728 {
3729 	struct inode_security_struct *isec = inode->i_security;
3730 	u32 sid = task_sid(p);
3731 
3732 	isec->sid = sid;
3733 	isec->initialized = 1;
3734 }
3735 
3736 /* Returns error only if unable to parse addresses */
3737 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3738 			struct common_audit_data *ad, u8 *proto)
3739 {
3740 	int offset, ihlen, ret = -EINVAL;
3741 	struct iphdr _iph, *ih;
3742 
3743 	offset = skb_network_offset(skb);
3744 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3745 	if (ih == NULL)
3746 		goto out;
3747 
3748 	ihlen = ih->ihl * 4;
3749 	if (ihlen < sizeof(_iph))
3750 		goto out;
3751 
3752 	ad->u.net->v4info.saddr = ih->saddr;
3753 	ad->u.net->v4info.daddr = ih->daddr;
3754 	ret = 0;
3755 
3756 	if (proto)
3757 		*proto = ih->protocol;
3758 
3759 	switch (ih->protocol) {
3760 	case IPPROTO_TCP: {
3761 		struct tcphdr _tcph, *th;
3762 
3763 		if (ntohs(ih->frag_off) & IP_OFFSET)
3764 			break;
3765 
3766 		offset += ihlen;
3767 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3768 		if (th == NULL)
3769 			break;
3770 
3771 		ad->u.net->sport = th->source;
3772 		ad->u.net->dport = th->dest;
3773 		break;
3774 	}
3775 
3776 	case IPPROTO_UDP: {
3777 		struct udphdr _udph, *uh;
3778 
3779 		if (ntohs(ih->frag_off) & IP_OFFSET)
3780 			break;
3781 
3782 		offset += ihlen;
3783 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3784 		if (uh == NULL)
3785 			break;
3786 
3787 		ad->u.net->sport = uh->source;
3788 		ad->u.net->dport = uh->dest;
3789 		break;
3790 	}
3791 
3792 	case IPPROTO_DCCP: {
3793 		struct dccp_hdr _dccph, *dh;
3794 
3795 		if (ntohs(ih->frag_off) & IP_OFFSET)
3796 			break;
3797 
3798 		offset += ihlen;
3799 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3800 		if (dh == NULL)
3801 			break;
3802 
3803 		ad->u.net->sport = dh->dccph_sport;
3804 		ad->u.net->dport = dh->dccph_dport;
3805 		break;
3806 	}
3807 
3808 	default:
3809 		break;
3810 	}
3811 out:
3812 	return ret;
3813 }
3814 
3815 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3816 
3817 /* Returns error only if unable to parse addresses */
3818 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3819 			struct common_audit_data *ad, u8 *proto)
3820 {
3821 	u8 nexthdr;
3822 	int ret = -EINVAL, offset;
3823 	struct ipv6hdr _ipv6h, *ip6;
3824 	__be16 frag_off;
3825 
3826 	offset = skb_network_offset(skb);
3827 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3828 	if (ip6 == NULL)
3829 		goto out;
3830 
3831 	ad->u.net->v6info.saddr = ip6->saddr;
3832 	ad->u.net->v6info.daddr = ip6->daddr;
3833 	ret = 0;
3834 
3835 	nexthdr = ip6->nexthdr;
3836 	offset += sizeof(_ipv6h);
3837 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3838 	if (offset < 0)
3839 		goto out;
3840 
3841 	if (proto)
3842 		*proto = nexthdr;
3843 
3844 	switch (nexthdr) {
3845 	case IPPROTO_TCP: {
3846 		struct tcphdr _tcph, *th;
3847 
3848 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3849 		if (th == NULL)
3850 			break;
3851 
3852 		ad->u.net->sport = th->source;
3853 		ad->u.net->dport = th->dest;
3854 		break;
3855 	}
3856 
3857 	case IPPROTO_UDP: {
3858 		struct udphdr _udph, *uh;
3859 
3860 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3861 		if (uh == NULL)
3862 			break;
3863 
3864 		ad->u.net->sport = uh->source;
3865 		ad->u.net->dport = uh->dest;
3866 		break;
3867 	}
3868 
3869 	case IPPROTO_DCCP: {
3870 		struct dccp_hdr _dccph, *dh;
3871 
3872 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3873 		if (dh == NULL)
3874 			break;
3875 
3876 		ad->u.net->sport = dh->dccph_sport;
3877 		ad->u.net->dport = dh->dccph_dport;
3878 		break;
3879 	}
3880 
3881 	/* includes fragments */
3882 	default:
3883 		break;
3884 	}
3885 out:
3886 	return ret;
3887 }
3888 
3889 #endif /* IPV6 */
3890 
3891 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3892 			     char **_addrp, int src, u8 *proto)
3893 {
3894 	char *addrp;
3895 	int ret;
3896 
3897 	switch (ad->u.net->family) {
3898 	case PF_INET:
3899 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
3900 		if (ret)
3901 			goto parse_error;
3902 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3903 				       &ad->u.net->v4info.daddr);
3904 		goto okay;
3905 
3906 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3907 	case PF_INET6:
3908 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
3909 		if (ret)
3910 			goto parse_error;
3911 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3912 				       &ad->u.net->v6info.daddr);
3913 		goto okay;
3914 #endif	/* IPV6 */
3915 	default:
3916 		addrp = NULL;
3917 		goto okay;
3918 	}
3919 
3920 parse_error:
3921 	printk(KERN_WARNING
3922 	       "SELinux: failure in selinux_parse_skb(),"
3923 	       " unable to parse packet\n");
3924 	return ret;
3925 
3926 okay:
3927 	if (_addrp)
3928 		*_addrp = addrp;
3929 	return 0;
3930 }
3931 
3932 /**
3933  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3934  * @skb: the packet
3935  * @family: protocol family
3936  * @sid: the packet's peer label SID
3937  *
3938  * Description:
3939  * Check the various different forms of network peer labeling and determine
3940  * the peer label/SID for the packet; most of the magic actually occurs in
3941  * the security server function security_net_peersid_cmp().  The function
3942  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3943  * or -EACCES if @sid is invalid due to inconsistencies with the different
3944  * peer labels.
3945  *
3946  */
3947 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3948 {
3949 	int err;
3950 	u32 xfrm_sid;
3951 	u32 nlbl_sid;
3952 	u32 nlbl_type;
3953 
3954 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3955 	if (unlikely(err))
3956 		return -EACCES;
3957 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3958 	if (unlikely(err))
3959 		return -EACCES;
3960 
3961 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3962 	if (unlikely(err)) {
3963 		printk(KERN_WARNING
3964 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
3965 		       " unable to determine packet's peer label\n");
3966 		return -EACCES;
3967 	}
3968 
3969 	return 0;
3970 }
3971 
3972 /**
3973  * selinux_conn_sid - Determine the child socket label for a connection
3974  * @sk_sid: the parent socket's SID
3975  * @skb_sid: the packet's SID
3976  * @conn_sid: the resulting connection SID
3977  *
3978  * If @skb_sid is valid then the user:role:type information from @sk_sid is
3979  * combined with the MLS information from @skb_sid in order to create
3980  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
3981  * of @sk_sid.  Returns zero on success, negative values on failure.
3982  *
3983  */
3984 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3985 {
3986 	int err = 0;
3987 
3988 	if (skb_sid != SECSID_NULL)
3989 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3990 	else
3991 		*conn_sid = sk_sid;
3992 
3993 	return err;
3994 }
3995 
3996 /* socket security operations */
3997 
3998 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3999 				 u16 secclass, u32 *socksid)
4000 {
4001 	if (tsec->sockcreate_sid > SECSID_NULL) {
4002 		*socksid = tsec->sockcreate_sid;
4003 		return 0;
4004 	}
4005 
4006 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4007 				       socksid);
4008 }
4009 
4010 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4011 {
4012 	struct sk_security_struct *sksec = sk->sk_security;
4013 	struct common_audit_data ad;
4014 	struct lsm_network_audit net = {0,};
4015 	u32 tsid = task_sid(task);
4016 
4017 	if (sksec->sid == SECINITSID_KERNEL)
4018 		return 0;
4019 
4020 	ad.type = LSM_AUDIT_DATA_NET;
4021 	ad.u.net = &net;
4022 	ad.u.net->sk = sk;
4023 
4024 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4025 }
4026 
4027 static int selinux_socket_create(int family, int type,
4028 				 int protocol, int kern)
4029 {
4030 	const struct task_security_struct *tsec = current_security();
4031 	u32 newsid;
4032 	u16 secclass;
4033 	int rc;
4034 
4035 	if (kern)
4036 		return 0;
4037 
4038 	secclass = socket_type_to_security_class(family, type, protocol);
4039 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4040 	if (rc)
4041 		return rc;
4042 
4043 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4044 }
4045 
4046 static int selinux_socket_post_create(struct socket *sock, int family,
4047 				      int type, int protocol, int kern)
4048 {
4049 	const struct task_security_struct *tsec = current_security();
4050 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4051 	struct sk_security_struct *sksec;
4052 	int err = 0;
4053 
4054 	isec->sclass = socket_type_to_security_class(family, type, protocol);
4055 
4056 	if (kern)
4057 		isec->sid = SECINITSID_KERNEL;
4058 	else {
4059 		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4060 		if (err)
4061 			return err;
4062 	}
4063 
4064 	isec->initialized = 1;
4065 
4066 	if (sock->sk) {
4067 		sksec = sock->sk->sk_security;
4068 		sksec->sid = isec->sid;
4069 		sksec->sclass = isec->sclass;
4070 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4071 	}
4072 
4073 	return err;
4074 }
4075 
4076 /* Range of port numbers used to automatically bind.
4077    Need to determine whether we should perform a name_bind
4078    permission check between the socket and the port number. */
4079 
4080 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4081 {
4082 	struct sock *sk = sock->sk;
4083 	u16 family;
4084 	int err;
4085 
4086 	err = sock_has_perm(current, sk, SOCKET__BIND);
4087 	if (err)
4088 		goto out;
4089 
4090 	/*
4091 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4092 	 * Multiple address binding for SCTP is not supported yet: we just
4093 	 * check the first address now.
4094 	 */
4095 	family = sk->sk_family;
4096 	if (family == PF_INET || family == PF_INET6) {
4097 		char *addrp;
4098 		struct sk_security_struct *sksec = sk->sk_security;
4099 		struct common_audit_data ad;
4100 		struct lsm_network_audit net = {0,};
4101 		struct sockaddr_in *addr4 = NULL;
4102 		struct sockaddr_in6 *addr6 = NULL;
4103 		unsigned short snum;
4104 		u32 sid, node_perm;
4105 
4106 		if (family == PF_INET) {
4107 			addr4 = (struct sockaddr_in *)address;
4108 			snum = ntohs(addr4->sin_port);
4109 			addrp = (char *)&addr4->sin_addr.s_addr;
4110 		} else {
4111 			addr6 = (struct sockaddr_in6 *)address;
4112 			snum = ntohs(addr6->sin6_port);
4113 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4114 		}
4115 
4116 		if (snum) {
4117 			int low, high;
4118 
4119 			inet_get_local_port_range(sock_net(sk), &low, &high);
4120 
4121 			if (snum < max(PROT_SOCK, low) || snum > high) {
4122 				err = sel_netport_sid(sk->sk_protocol,
4123 						      snum, &sid);
4124 				if (err)
4125 					goto out;
4126 				ad.type = LSM_AUDIT_DATA_NET;
4127 				ad.u.net = &net;
4128 				ad.u.net->sport = htons(snum);
4129 				ad.u.net->family = family;
4130 				err = avc_has_perm(sksec->sid, sid,
4131 						   sksec->sclass,
4132 						   SOCKET__NAME_BIND, &ad);
4133 				if (err)
4134 					goto out;
4135 			}
4136 		}
4137 
4138 		switch (sksec->sclass) {
4139 		case SECCLASS_TCP_SOCKET:
4140 			node_perm = TCP_SOCKET__NODE_BIND;
4141 			break;
4142 
4143 		case SECCLASS_UDP_SOCKET:
4144 			node_perm = UDP_SOCKET__NODE_BIND;
4145 			break;
4146 
4147 		case SECCLASS_DCCP_SOCKET:
4148 			node_perm = DCCP_SOCKET__NODE_BIND;
4149 			break;
4150 
4151 		default:
4152 			node_perm = RAWIP_SOCKET__NODE_BIND;
4153 			break;
4154 		}
4155 
4156 		err = sel_netnode_sid(addrp, family, &sid);
4157 		if (err)
4158 			goto out;
4159 
4160 		ad.type = LSM_AUDIT_DATA_NET;
4161 		ad.u.net = &net;
4162 		ad.u.net->sport = htons(snum);
4163 		ad.u.net->family = family;
4164 
4165 		if (family == PF_INET)
4166 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4167 		else
4168 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4169 
4170 		err = avc_has_perm(sksec->sid, sid,
4171 				   sksec->sclass, node_perm, &ad);
4172 		if (err)
4173 			goto out;
4174 	}
4175 out:
4176 	return err;
4177 }
4178 
4179 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4180 {
4181 	struct sock *sk = sock->sk;
4182 	struct sk_security_struct *sksec = sk->sk_security;
4183 	int err;
4184 
4185 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4186 	if (err)
4187 		return err;
4188 
4189 	/*
4190 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4191 	 */
4192 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4193 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4194 		struct common_audit_data ad;
4195 		struct lsm_network_audit net = {0,};
4196 		struct sockaddr_in *addr4 = NULL;
4197 		struct sockaddr_in6 *addr6 = NULL;
4198 		unsigned short snum;
4199 		u32 sid, perm;
4200 
4201 		if (sk->sk_family == PF_INET) {
4202 			addr4 = (struct sockaddr_in *)address;
4203 			if (addrlen < sizeof(struct sockaddr_in))
4204 				return -EINVAL;
4205 			snum = ntohs(addr4->sin_port);
4206 		} else {
4207 			addr6 = (struct sockaddr_in6 *)address;
4208 			if (addrlen < SIN6_LEN_RFC2133)
4209 				return -EINVAL;
4210 			snum = ntohs(addr6->sin6_port);
4211 		}
4212 
4213 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4214 		if (err)
4215 			goto out;
4216 
4217 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4218 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4219 
4220 		ad.type = LSM_AUDIT_DATA_NET;
4221 		ad.u.net = &net;
4222 		ad.u.net->dport = htons(snum);
4223 		ad.u.net->family = sk->sk_family;
4224 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4225 		if (err)
4226 			goto out;
4227 	}
4228 
4229 	err = selinux_netlbl_socket_connect(sk, address);
4230 
4231 out:
4232 	return err;
4233 }
4234 
4235 static int selinux_socket_listen(struct socket *sock, int backlog)
4236 {
4237 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4238 }
4239 
4240 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4241 {
4242 	int err;
4243 	struct inode_security_struct *isec;
4244 	struct inode_security_struct *newisec;
4245 
4246 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4247 	if (err)
4248 		return err;
4249 
4250 	newisec = SOCK_INODE(newsock)->i_security;
4251 
4252 	isec = SOCK_INODE(sock)->i_security;
4253 	newisec->sclass = isec->sclass;
4254 	newisec->sid = isec->sid;
4255 	newisec->initialized = 1;
4256 
4257 	return 0;
4258 }
4259 
4260 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4261 				  int size)
4262 {
4263 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4264 }
4265 
4266 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4267 				  int size, int flags)
4268 {
4269 	return sock_has_perm(current, sock->sk, SOCKET__READ);
4270 }
4271 
4272 static int selinux_socket_getsockname(struct socket *sock)
4273 {
4274 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4275 }
4276 
4277 static int selinux_socket_getpeername(struct socket *sock)
4278 {
4279 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4280 }
4281 
4282 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4283 {
4284 	int err;
4285 
4286 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4287 	if (err)
4288 		return err;
4289 
4290 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4291 }
4292 
4293 static int selinux_socket_getsockopt(struct socket *sock, int level,
4294 				     int optname)
4295 {
4296 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4297 }
4298 
4299 static int selinux_socket_shutdown(struct socket *sock, int how)
4300 {
4301 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4302 }
4303 
4304 static int selinux_socket_unix_stream_connect(struct sock *sock,
4305 					      struct sock *other,
4306 					      struct sock *newsk)
4307 {
4308 	struct sk_security_struct *sksec_sock = sock->sk_security;
4309 	struct sk_security_struct *sksec_other = other->sk_security;
4310 	struct sk_security_struct *sksec_new = newsk->sk_security;
4311 	struct common_audit_data ad;
4312 	struct lsm_network_audit net = {0,};
4313 	int err;
4314 
4315 	ad.type = LSM_AUDIT_DATA_NET;
4316 	ad.u.net = &net;
4317 	ad.u.net->sk = other;
4318 
4319 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4320 			   sksec_other->sclass,
4321 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4322 	if (err)
4323 		return err;
4324 
4325 	/* server child socket */
4326 	sksec_new->peer_sid = sksec_sock->sid;
4327 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4328 				    &sksec_new->sid);
4329 	if (err)
4330 		return err;
4331 
4332 	/* connecting socket */
4333 	sksec_sock->peer_sid = sksec_new->sid;
4334 
4335 	return 0;
4336 }
4337 
4338 static int selinux_socket_unix_may_send(struct socket *sock,
4339 					struct socket *other)
4340 {
4341 	struct sk_security_struct *ssec = sock->sk->sk_security;
4342 	struct sk_security_struct *osec = other->sk->sk_security;
4343 	struct common_audit_data ad;
4344 	struct lsm_network_audit net = {0,};
4345 
4346 	ad.type = LSM_AUDIT_DATA_NET;
4347 	ad.u.net = &net;
4348 	ad.u.net->sk = other->sk;
4349 
4350 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4351 			    &ad);
4352 }
4353 
4354 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4355 				    char *addrp, u16 family, u32 peer_sid,
4356 				    struct common_audit_data *ad)
4357 {
4358 	int err;
4359 	u32 if_sid;
4360 	u32 node_sid;
4361 
4362 	err = sel_netif_sid(ns, ifindex, &if_sid);
4363 	if (err)
4364 		return err;
4365 	err = avc_has_perm(peer_sid, if_sid,
4366 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4367 	if (err)
4368 		return err;
4369 
4370 	err = sel_netnode_sid(addrp, family, &node_sid);
4371 	if (err)
4372 		return err;
4373 	return avc_has_perm(peer_sid, node_sid,
4374 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4375 }
4376 
4377 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4378 				       u16 family)
4379 {
4380 	int err = 0;
4381 	struct sk_security_struct *sksec = sk->sk_security;
4382 	u32 sk_sid = sksec->sid;
4383 	struct common_audit_data ad;
4384 	struct lsm_network_audit net = {0,};
4385 	char *addrp;
4386 
4387 	ad.type = LSM_AUDIT_DATA_NET;
4388 	ad.u.net = &net;
4389 	ad.u.net->netif = skb->skb_iif;
4390 	ad.u.net->family = family;
4391 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4392 	if (err)
4393 		return err;
4394 
4395 	if (selinux_secmark_enabled()) {
4396 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4397 				   PACKET__RECV, &ad);
4398 		if (err)
4399 			return err;
4400 	}
4401 
4402 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4403 	if (err)
4404 		return err;
4405 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4406 
4407 	return err;
4408 }
4409 
4410 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4411 {
4412 	int err;
4413 	struct sk_security_struct *sksec = sk->sk_security;
4414 	u16 family = sk->sk_family;
4415 	u32 sk_sid = sksec->sid;
4416 	struct common_audit_data ad;
4417 	struct lsm_network_audit net = {0,};
4418 	char *addrp;
4419 	u8 secmark_active;
4420 	u8 peerlbl_active;
4421 
4422 	if (family != PF_INET && family != PF_INET6)
4423 		return 0;
4424 
4425 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4426 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4427 		family = PF_INET;
4428 
4429 	/* If any sort of compatibility mode is enabled then handoff processing
4430 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4431 	 * special handling.  We do this in an attempt to keep this function
4432 	 * as fast and as clean as possible. */
4433 	if (!selinux_policycap_netpeer)
4434 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4435 
4436 	secmark_active = selinux_secmark_enabled();
4437 	peerlbl_active = selinux_peerlbl_enabled();
4438 	if (!secmark_active && !peerlbl_active)
4439 		return 0;
4440 
4441 	ad.type = LSM_AUDIT_DATA_NET;
4442 	ad.u.net = &net;
4443 	ad.u.net->netif = skb->skb_iif;
4444 	ad.u.net->family = family;
4445 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4446 	if (err)
4447 		return err;
4448 
4449 	if (peerlbl_active) {
4450 		u32 peer_sid;
4451 
4452 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4453 		if (err)
4454 			return err;
4455 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4456 					       addrp, family, peer_sid, &ad);
4457 		if (err) {
4458 			selinux_netlbl_err(skb, err, 0);
4459 			return err;
4460 		}
4461 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4462 				   PEER__RECV, &ad);
4463 		if (err) {
4464 			selinux_netlbl_err(skb, err, 0);
4465 			return err;
4466 		}
4467 	}
4468 
4469 	if (secmark_active) {
4470 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4471 				   PACKET__RECV, &ad);
4472 		if (err)
4473 			return err;
4474 	}
4475 
4476 	return err;
4477 }
4478 
4479 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4480 					    int __user *optlen, unsigned len)
4481 {
4482 	int err = 0;
4483 	char *scontext;
4484 	u32 scontext_len;
4485 	struct sk_security_struct *sksec = sock->sk->sk_security;
4486 	u32 peer_sid = SECSID_NULL;
4487 
4488 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4489 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4490 		peer_sid = sksec->peer_sid;
4491 	if (peer_sid == SECSID_NULL)
4492 		return -ENOPROTOOPT;
4493 
4494 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4495 	if (err)
4496 		return err;
4497 
4498 	if (scontext_len > len) {
4499 		err = -ERANGE;
4500 		goto out_len;
4501 	}
4502 
4503 	if (copy_to_user(optval, scontext, scontext_len))
4504 		err = -EFAULT;
4505 
4506 out_len:
4507 	if (put_user(scontext_len, optlen))
4508 		err = -EFAULT;
4509 	kfree(scontext);
4510 	return err;
4511 }
4512 
4513 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4514 {
4515 	u32 peer_secid = SECSID_NULL;
4516 	u16 family;
4517 
4518 	if (skb && skb->protocol == htons(ETH_P_IP))
4519 		family = PF_INET;
4520 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4521 		family = PF_INET6;
4522 	else if (sock)
4523 		family = sock->sk->sk_family;
4524 	else
4525 		goto out;
4526 
4527 	if (sock && family == PF_UNIX)
4528 		selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4529 	else if (skb)
4530 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4531 
4532 out:
4533 	*secid = peer_secid;
4534 	if (peer_secid == SECSID_NULL)
4535 		return -EINVAL;
4536 	return 0;
4537 }
4538 
4539 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4540 {
4541 	struct sk_security_struct *sksec;
4542 
4543 	sksec = kzalloc(sizeof(*sksec), priority);
4544 	if (!sksec)
4545 		return -ENOMEM;
4546 
4547 	sksec->peer_sid = SECINITSID_UNLABELED;
4548 	sksec->sid = SECINITSID_UNLABELED;
4549 	selinux_netlbl_sk_security_reset(sksec);
4550 	sk->sk_security = sksec;
4551 
4552 	return 0;
4553 }
4554 
4555 static void selinux_sk_free_security(struct sock *sk)
4556 {
4557 	struct sk_security_struct *sksec = sk->sk_security;
4558 
4559 	sk->sk_security = NULL;
4560 	selinux_netlbl_sk_security_free(sksec);
4561 	kfree(sksec);
4562 }
4563 
4564 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4565 {
4566 	struct sk_security_struct *sksec = sk->sk_security;
4567 	struct sk_security_struct *newsksec = newsk->sk_security;
4568 
4569 	newsksec->sid = sksec->sid;
4570 	newsksec->peer_sid = sksec->peer_sid;
4571 	newsksec->sclass = sksec->sclass;
4572 
4573 	selinux_netlbl_sk_security_reset(newsksec);
4574 }
4575 
4576 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4577 {
4578 	if (!sk)
4579 		*secid = SECINITSID_ANY_SOCKET;
4580 	else {
4581 		struct sk_security_struct *sksec = sk->sk_security;
4582 
4583 		*secid = sksec->sid;
4584 	}
4585 }
4586 
4587 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4588 {
4589 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4590 	struct sk_security_struct *sksec = sk->sk_security;
4591 
4592 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4593 	    sk->sk_family == PF_UNIX)
4594 		isec->sid = sksec->sid;
4595 	sksec->sclass = isec->sclass;
4596 }
4597 
4598 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4599 				     struct request_sock *req)
4600 {
4601 	struct sk_security_struct *sksec = sk->sk_security;
4602 	int err;
4603 	u16 family = req->rsk_ops->family;
4604 	u32 connsid;
4605 	u32 peersid;
4606 
4607 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4608 	if (err)
4609 		return err;
4610 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4611 	if (err)
4612 		return err;
4613 	req->secid = connsid;
4614 	req->peer_secid = peersid;
4615 
4616 	return selinux_netlbl_inet_conn_request(req, family);
4617 }
4618 
4619 static void selinux_inet_csk_clone(struct sock *newsk,
4620 				   const struct request_sock *req)
4621 {
4622 	struct sk_security_struct *newsksec = newsk->sk_security;
4623 
4624 	newsksec->sid = req->secid;
4625 	newsksec->peer_sid = req->peer_secid;
4626 	/* NOTE: Ideally, we should also get the isec->sid for the
4627 	   new socket in sync, but we don't have the isec available yet.
4628 	   So we will wait until sock_graft to do it, by which
4629 	   time it will have been created and available. */
4630 
4631 	/* We don't need to take any sort of lock here as we are the only
4632 	 * thread with access to newsksec */
4633 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4634 }
4635 
4636 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4637 {
4638 	u16 family = sk->sk_family;
4639 	struct sk_security_struct *sksec = sk->sk_security;
4640 
4641 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4642 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4643 		family = PF_INET;
4644 
4645 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4646 }
4647 
4648 static int selinux_secmark_relabel_packet(u32 sid)
4649 {
4650 	const struct task_security_struct *__tsec;
4651 	u32 tsid;
4652 
4653 	__tsec = current_security();
4654 	tsid = __tsec->sid;
4655 
4656 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4657 }
4658 
4659 static void selinux_secmark_refcount_inc(void)
4660 {
4661 	atomic_inc(&selinux_secmark_refcount);
4662 }
4663 
4664 static void selinux_secmark_refcount_dec(void)
4665 {
4666 	atomic_dec(&selinux_secmark_refcount);
4667 }
4668 
4669 static void selinux_req_classify_flow(const struct request_sock *req,
4670 				      struct flowi *fl)
4671 {
4672 	fl->flowi_secid = req->secid;
4673 }
4674 
4675 static int selinux_tun_dev_alloc_security(void **security)
4676 {
4677 	struct tun_security_struct *tunsec;
4678 
4679 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4680 	if (!tunsec)
4681 		return -ENOMEM;
4682 	tunsec->sid = current_sid();
4683 
4684 	*security = tunsec;
4685 	return 0;
4686 }
4687 
4688 static void selinux_tun_dev_free_security(void *security)
4689 {
4690 	kfree(security);
4691 }
4692 
4693 static int selinux_tun_dev_create(void)
4694 {
4695 	u32 sid = current_sid();
4696 
4697 	/* we aren't taking into account the "sockcreate" SID since the socket
4698 	 * that is being created here is not a socket in the traditional sense,
4699 	 * instead it is a private sock, accessible only to the kernel, and
4700 	 * representing a wide range of network traffic spanning multiple
4701 	 * connections unlike traditional sockets - check the TUN driver to
4702 	 * get a better understanding of why this socket is special */
4703 
4704 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4705 			    NULL);
4706 }
4707 
4708 static int selinux_tun_dev_attach_queue(void *security)
4709 {
4710 	struct tun_security_struct *tunsec = security;
4711 
4712 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4713 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4714 }
4715 
4716 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4717 {
4718 	struct tun_security_struct *tunsec = security;
4719 	struct sk_security_struct *sksec = sk->sk_security;
4720 
4721 	/* we don't currently perform any NetLabel based labeling here and it
4722 	 * isn't clear that we would want to do so anyway; while we could apply
4723 	 * labeling without the support of the TUN user the resulting labeled
4724 	 * traffic from the other end of the connection would almost certainly
4725 	 * cause confusion to the TUN user that had no idea network labeling
4726 	 * protocols were being used */
4727 
4728 	sksec->sid = tunsec->sid;
4729 	sksec->sclass = SECCLASS_TUN_SOCKET;
4730 
4731 	return 0;
4732 }
4733 
4734 static int selinux_tun_dev_open(void *security)
4735 {
4736 	struct tun_security_struct *tunsec = security;
4737 	u32 sid = current_sid();
4738 	int err;
4739 
4740 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4741 			   TUN_SOCKET__RELABELFROM, NULL);
4742 	if (err)
4743 		return err;
4744 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4745 			   TUN_SOCKET__RELABELTO, NULL);
4746 	if (err)
4747 		return err;
4748 	tunsec->sid = sid;
4749 
4750 	return 0;
4751 }
4752 
4753 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4754 {
4755 	int err = 0;
4756 	u32 perm;
4757 	struct nlmsghdr *nlh;
4758 	struct sk_security_struct *sksec = sk->sk_security;
4759 
4760 	if (skb->len < NLMSG_HDRLEN) {
4761 		err = -EINVAL;
4762 		goto out;
4763 	}
4764 	nlh = nlmsg_hdr(skb);
4765 
4766 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4767 	if (err) {
4768 		if (err == -EINVAL) {
4769 			printk(KERN_WARNING
4770 			       "SELinux: unrecognized netlink message:"
4771 			       " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4772 			       sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4773 			if (!selinux_enforcing || security_get_allow_unknown())
4774 				err = 0;
4775 		}
4776 
4777 		/* Ignore */
4778 		if (err == -ENOENT)
4779 			err = 0;
4780 		goto out;
4781 	}
4782 
4783 	err = sock_has_perm(current, sk, perm);
4784 out:
4785 	return err;
4786 }
4787 
4788 #ifdef CONFIG_NETFILTER
4789 
4790 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4791 				       const struct net_device *indev,
4792 				       u16 family)
4793 {
4794 	int err;
4795 	char *addrp;
4796 	u32 peer_sid;
4797 	struct common_audit_data ad;
4798 	struct lsm_network_audit net = {0,};
4799 	u8 secmark_active;
4800 	u8 netlbl_active;
4801 	u8 peerlbl_active;
4802 
4803 	if (!selinux_policycap_netpeer)
4804 		return NF_ACCEPT;
4805 
4806 	secmark_active = selinux_secmark_enabled();
4807 	netlbl_active = netlbl_enabled();
4808 	peerlbl_active = selinux_peerlbl_enabled();
4809 	if (!secmark_active && !peerlbl_active)
4810 		return NF_ACCEPT;
4811 
4812 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4813 		return NF_DROP;
4814 
4815 	ad.type = LSM_AUDIT_DATA_NET;
4816 	ad.u.net = &net;
4817 	ad.u.net->netif = indev->ifindex;
4818 	ad.u.net->family = family;
4819 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4820 		return NF_DROP;
4821 
4822 	if (peerlbl_active) {
4823 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4824 					       addrp, family, peer_sid, &ad);
4825 		if (err) {
4826 			selinux_netlbl_err(skb, err, 1);
4827 			return NF_DROP;
4828 		}
4829 	}
4830 
4831 	if (secmark_active)
4832 		if (avc_has_perm(peer_sid, skb->secmark,
4833 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4834 			return NF_DROP;
4835 
4836 	if (netlbl_active)
4837 		/* we do this in the FORWARD path and not the POST_ROUTING
4838 		 * path because we want to make sure we apply the necessary
4839 		 * labeling before IPsec is applied so we can leverage AH
4840 		 * protection */
4841 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4842 			return NF_DROP;
4843 
4844 	return NF_ACCEPT;
4845 }
4846 
4847 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4848 					 struct sk_buff *skb,
4849 					 const struct nf_hook_state *state)
4850 {
4851 	return selinux_ip_forward(skb, state->in, PF_INET);
4852 }
4853 
4854 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4855 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4856 					 struct sk_buff *skb,
4857 					 const struct nf_hook_state *state)
4858 {
4859 	return selinux_ip_forward(skb, state->in, PF_INET6);
4860 }
4861 #endif	/* IPV6 */
4862 
4863 static unsigned int selinux_ip_output(struct sk_buff *skb,
4864 				      u16 family)
4865 {
4866 	struct sock *sk;
4867 	u32 sid;
4868 
4869 	if (!netlbl_enabled())
4870 		return NF_ACCEPT;
4871 
4872 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4873 	 * because we want to make sure we apply the necessary labeling
4874 	 * before IPsec is applied so we can leverage AH protection */
4875 	sk = skb->sk;
4876 	if (sk) {
4877 		struct sk_security_struct *sksec;
4878 
4879 		if (sk->sk_state == TCP_LISTEN)
4880 			/* if the socket is the listening state then this
4881 			 * packet is a SYN-ACK packet which means it needs to
4882 			 * be labeled based on the connection/request_sock and
4883 			 * not the parent socket.  unfortunately, we can't
4884 			 * lookup the request_sock yet as it isn't queued on
4885 			 * the parent socket until after the SYN-ACK is sent.
4886 			 * the "solution" is to simply pass the packet as-is
4887 			 * as any IP option based labeling should be copied
4888 			 * from the initial connection request (in the IP
4889 			 * layer).  it is far from ideal, but until we get a
4890 			 * security label in the packet itself this is the
4891 			 * best we can do. */
4892 			return NF_ACCEPT;
4893 
4894 		/* standard practice, label using the parent socket */
4895 		sksec = sk->sk_security;
4896 		sid = sksec->sid;
4897 	} else
4898 		sid = SECINITSID_KERNEL;
4899 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4900 		return NF_DROP;
4901 
4902 	return NF_ACCEPT;
4903 }
4904 
4905 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4906 					struct sk_buff *skb,
4907 					const struct nf_hook_state *state)
4908 {
4909 	return selinux_ip_output(skb, PF_INET);
4910 }
4911 
4912 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4913 						int ifindex,
4914 						u16 family)
4915 {
4916 	struct sock *sk = skb->sk;
4917 	struct sk_security_struct *sksec;
4918 	struct common_audit_data ad;
4919 	struct lsm_network_audit net = {0,};
4920 	char *addrp;
4921 	u8 proto;
4922 
4923 	if (sk == NULL)
4924 		return NF_ACCEPT;
4925 	sksec = sk->sk_security;
4926 
4927 	ad.type = LSM_AUDIT_DATA_NET;
4928 	ad.u.net = &net;
4929 	ad.u.net->netif = ifindex;
4930 	ad.u.net->family = family;
4931 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4932 		return NF_DROP;
4933 
4934 	if (selinux_secmark_enabled())
4935 		if (avc_has_perm(sksec->sid, skb->secmark,
4936 				 SECCLASS_PACKET, PACKET__SEND, &ad))
4937 			return NF_DROP_ERR(-ECONNREFUSED);
4938 
4939 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4940 		return NF_DROP_ERR(-ECONNREFUSED);
4941 
4942 	return NF_ACCEPT;
4943 }
4944 
4945 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4946 					 const struct net_device *outdev,
4947 					 u16 family)
4948 {
4949 	u32 secmark_perm;
4950 	u32 peer_sid;
4951 	int ifindex = outdev->ifindex;
4952 	struct sock *sk;
4953 	struct common_audit_data ad;
4954 	struct lsm_network_audit net = {0,};
4955 	char *addrp;
4956 	u8 secmark_active;
4957 	u8 peerlbl_active;
4958 
4959 	/* If any sort of compatibility mode is enabled then handoff processing
4960 	 * to the selinux_ip_postroute_compat() function to deal with the
4961 	 * special handling.  We do this in an attempt to keep this function
4962 	 * as fast and as clean as possible. */
4963 	if (!selinux_policycap_netpeer)
4964 		return selinux_ip_postroute_compat(skb, ifindex, family);
4965 
4966 	secmark_active = selinux_secmark_enabled();
4967 	peerlbl_active = selinux_peerlbl_enabled();
4968 	if (!secmark_active && !peerlbl_active)
4969 		return NF_ACCEPT;
4970 
4971 	sk = skb->sk;
4972 
4973 #ifdef CONFIG_XFRM
4974 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4975 	 * packet transformation so allow the packet to pass without any checks
4976 	 * since we'll have another chance to perform access control checks
4977 	 * when the packet is on it's final way out.
4978 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4979 	 *       is NULL, in this case go ahead and apply access control.
4980 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4981 	 *       TCP listening state we cannot wait until the XFRM processing
4982 	 *       is done as we will miss out on the SA label if we do;
4983 	 *       unfortunately, this means more work, but it is only once per
4984 	 *       connection. */
4985 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4986 	    !(sk != NULL && sk->sk_state == TCP_LISTEN))
4987 		return NF_ACCEPT;
4988 #endif
4989 
4990 	if (sk == NULL) {
4991 		/* Without an associated socket the packet is either coming
4992 		 * from the kernel or it is being forwarded; check the packet
4993 		 * to determine which and if the packet is being forwarded
4994 		 * query the packet directly to determine the security label. */
4995 		if (skb->skb_iif) {
4996 			secmark_perm = PACKET__FORWARD_OUT;
4997 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4998 				return NF_DROP;
4999 		} else {
5000 			secmark_perm = PACKET__SEND;
5001 			peer_sid = SECINITSID_KERNEL;
5002 		}
5003 	} else if (sk->sk_state == TCP_LISTEN) {
5004 		/* Locally generated packet but the associated socket is in the
5005 		 * listening state which means this is a SYN-ACK packet.  In
5006 		 * this particular case the correct security label is assigned
5007 		 * to the connection/request_sock but unfortunately we can't
5008 		 * query the request_sock as it isn't queued on the parent
5009 		 * socket until after the SYN-ACK packet is sent; the only
5010 		 * viable choice is to regenerate the label like we do in
5011 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5012 		 * for similar problems. */
5013 		u32 skb_sid;
5014 		struct sk_security_struct *sksec = sk->sk_security;
5015 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5016 			return NF_DROP;
5017 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5018 		 * and the packet has been through at least one XFRM
5019 		 * transformation then we must be dealing with the "final"
5020 		 * form of labeled IPsec packet; since we've already applied
5021 		 * all of our access controls on this packet we can safely
5022 		 * pass the packet. */
5023 		if (skb_sid == SECSID_NULL) {
5024 			switch (family) {
5025 			case PF_INET:
5026 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5027 					return NF_ACCEPT;
5028 				break;
5029 			case PF_INET6:
5030 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5031 					return NF_ACCEPT;
5032 				break;
5033 			default:
5034 				return NF_DROP_ERR(-ECONNREFUSED);
5035 			}
5036 		}
5037 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5038 			return NF_DROP;
5039 		secmark_perm = PACKET__SEND;
5040 	} else {
5041 		/* Locally generated packet, fetch the security label from the
5042 		 * associated socket. */
5043 		struct sk_security_struct *sksec = sk->sk_security;
5044 		peer_sid = sksec->sid;
5045 		secmark_perm = PACKET__SEND;
5046 	}
5047 
5048 	ad.type = LSM_AUDIT_DATA_NET;
5049 	ad.u.net = &net;
5050 	ad.u.net->netif = ifindex;
5051 	ad.u.net->family = family;
5052 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5053 		return NF_DROP;
5054 
5055 	if (secmark_active)
5056 		if (avc_has_perm(peer_sid, skb->secmark,
5057 				 SECCLASS_PACKET, secmark_perm, &ad))
5058 			return NF_DROP_ERR(-ECONNREFUSED);
5059 
5060 	if (peerlbl_active) {
5061 		u32 if_sid;
5062 		u32 node_sid;
5063 
5064 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5065 			return NF_DROP;
5066 		if (avc_has_perm(peer_sid, if_sid,
5067 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5068 			return NF_DROP_ERR(-ECONNREFUSED);
5069 
5070 		if (sel_netnode_sid(addrp, family, &node_sid))
5071 			return NF_DROP;
5072 		if (avc_has_perm(peer_sid, node_sid,
5073 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5074 			return NF_DROP_ERR(-ECONNREFUSED);
5075 	}
5076 
5077 	return NF_ACCEPT;
5078 }
5079 
5080 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5081 					   struct sk_buff *skb,
5082 					   const struct nf_hook_state *state)
5083 {
5084 	return selinux_ip_postroute(skb, state->out, PF_INET);
5085 }
5086 
5087 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5088 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5089 					   struct sk_buff *skb,
5090 					   const struct nf_hook_state *state)
5091 {
5092 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5093 }
5094 #endif	/* IPV6 */
5095 
5096 #endif	/* CONFIG_NETFILTER */
5097 
5098 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5099 {
5100 	int err;
5101 
5102 	err = cap_netlink_send(sk, skb);
5103 	if (err)
5104 		return err;
5105 
5106 	return selinux_nlmsg_perm(sk, skb);
5107 }
5108 
5109 static int ipc_alloc_security(struct task_struct *task,
5110 			      struct kern_ipc_perm *perm,
5111 			      u16 sclass)
5112 {
5113 	struct ipc_security_struct *isec;
5114 	u32 sid;
5115 
5116 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5117 	if (!isec)
5118 		return -ENOMEM;
5119 
5120 	sid = task_sid(task);
5121 	isec->sclass = sclass;
5122 	isec->sid = sid;
5123 	perm->security = isec;
5124 
5125 	return 0;
5126 }
5127 
5128 static void ipc_free_security(struct kern_ipc_perm *perm)
5129 {
5130 	struct ipc_security_struct *isec = perm->security;
5131 	perm->security = NULL;
5132 	kfree(isec);
5133 }
5134 
5135 static int msg_msg_alloc_security(struct msg_msg *msg)
5136 {
5137 	struct msg_security_struct *msec;
5138 
5139 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5140 	if (!msec)
5141 		return -ENOMEM;
5142 
5143 	msec->sid = SECINITSID_UNLABELED;
5144 	msg->security = msec;
5145 
5146 	return 0;
5147 }
5148 
5149 static void msg_msg_free_security(struct msg_msg *msg)
5150 {
5151 	struct msg_security_struct *msec = msg->security;
5152 
5153 	msg->security = NULL;
5154 	kfree(msec);
5155 }
5156 
5157 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5158 			u32 perms)
5159 {
5160 	struct ipc_security_struct *isec;
5161 	struct common_audit_data ad;
5162 	u32 sid = current_sid();
5163 
5164 	isec = ipc_perms->security;
5165 
5166 	ad.type = LSM_AUDIT_DATA_IPC;
5167 	ad.u.ipc_id = ipc_perms->key;
5168 
5169 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5170 }
5171 
5172 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5173 {
5174 	return msg_msg_alloc_security(msg);
5175 }
5176 
5177 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5178 {
5179 	msg_msg_free_security(msg);
5180 }
5181 
5182 /* message queue security operations */
5183 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5184 {
5185 	struct ipc_security_struct *isec;
5186 	struct common_audit_data ad;
5187 	u32 sid = current_sid();
5188 	int rc;
5189 
5190 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5191 	if (rc)
5192 		return rc;
5193 
5194 	isec = msq->q_perm.security;
5195 
5196 	ad.type = LSM_AUDIT_DATA_IPC;
5197 	ad.u.ipc_id = msq->q_perm.key;
5198 
5199 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5200 			  MSGQ__CREATE, &ad);
5201 	if (rc) {
5202 		ipc_free_security(&msq->q_perm);
5203 		return rc;
5204 	}
5205 	return 0;
5206 }
5207 
5208 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5209 {
5210 	ipc_free_security(&msq->q_perm);
5211 }
5212 
5213 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5214 {
5215 	struct ipc_security_struct *isec;
5216 	struct common_audit_data ad;
5217 	u32 sid = current_sid();
5218 
5219 	isec = msq->q_perm.security;
5220 
5221 	ad.type = LSM_AUDIT_DATA_IPC;
5222 	ad.u.ipc_id = msq->q_perm.key;
5223 
5224 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5225 			    MSGQ__ASSOCIATE, &ad);
5226 }
5227 
5228 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5229 {
5230 	int err;
5231 	int perms;
5232 
5233 	switch (cmd) {
5234 	case IPC_INFO:
5235 	case MSG_INFO:
5236 		/* No specific object, just general system-wide information. */
5237 		return task_has_system(current, SYSTEM__IPC_INFO);
5238 	case IPC_STAT:
5239 	case MSG_STAT:
5240 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5241 		break;
5242 	case IPC_SET:
5243 		perms = MSGQ__SETATTR;
5244 		break;
5245 	case IPC_RMID:
5246 		perms = MSGQ__DESTROY;
5247 		break;
5248 	default:
5249 		return 0;
5250 	}
5251 
5252 	err = ipc_has_perm(&msq->q_perm, perms);
5253 	return err;
5254 }
5255 
5256 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5257 {
5258 	struct ipc_security_struct *isec;
5259 	struct msg_security_struct *msec;
5260 	struct common_audit_data ad;
5261 	u32 sid = current_sid();
5262 	int rc;
5263 
5264 	isec = msq->q_perm.security;
5265 	msec = msg->security;
5266 
5267 	/*
5268 	 * First time through, need to assign label to the message
5269 	 */
5270 	if (msec->sid == SECINITSID_UNLABELED) {
5271 		/*
5272 		 * Compute new sid based on current process and
5273 		 * message queue this message will be stored in
5274 		 */
5275 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5276 					     NULL, &msec->sid);
5277 		if (rc)
5278 			return rc;
5279 	}
5280 
5281 	ad.type = LSM_AUDIT_DATA_IPC;
5282 	ad.u.ipc_id = msq->q_perm.key;
5283 
5284 	/* Can this process write to the queue? */
5285 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5286 			  MSGQ__WRITE, &ad);
5287 	if (!rc)
5288 		/* Can this process send the message */
5289 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5290 				  MSG__SEND, &ad);
5291 	if (!rc)
5292 		/* Can the message be put in the queue? */
5293 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5294 				  MSGQ__ENQUEUE, &ad);
5295 
5296 	return rc;
5297 }
5298 
5299 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5300 				    struct task_struct *target,
5301 				    long type, int mode)
5302 {
5303 	struct ipc_security_struct *isec;
5304 	struct msg_security_struct *msec;
5305 	struct common_audit_data ad;
5306 	u32 sid = task_sid(target);
5307 	int rc;
5308 
5309 	isec = msq->q_perm.security;
5310 	msec = msg->security;
5311 
5312 	ad.type = LSM_AUDIT_DATA_IPC;
5313 	ad.u.ipc_id = msq->q_perm.key;
5314 
5315 	rc = avc_has_perm(sid, isec->sid,
5316 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5317 	if (!rc)
5318 		rc = avc_has_perm(sid, msec->sid,
5319 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5320 	return rc;
5321 }
5322 
5323 /* Shared Memory security operations */
5324 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5325 {
5326 	struct ipc_security_struct *isec;
5327 	struct common_audit_data ad;
5328 	u32 sid = current_sid();
5329 	int rc;
5330 
5331 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5332 	if (rc)
5333 		return rc;
5334 
5335 	isec = shp->shm_perm.security;
5336 
5337 	ad.type = LSM_AUDIT_DATA_IPC;
5338 	ad.u.ipc_id = shp->shm_perm.key;
5339 
5340 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5341 			  SHM__CREATE, &ad);
5342 	if (rc) {
5343 		ipc_free_security(&shp->shm_perm);
5344 		return rc;
5345 	}
5346 	return 0;
5347 }
5348 
5349 static void selinux_shm_free_security(struct shmid_kernel *shp)
5350 {
5351 	ipc_free_security(&shp->shm_perm);
5352 }
5353 
5354 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5355 {
5356 	struct ipc_security_struct *isec;
5357 	struct common_audit_data ad;
5358 	u32 sid = current_sid();
5359 
5360 	isec = shp->shm_perm.security;
5361 
5362 	ad.type = LSM_AUDIT_DATA_IPC;
5363 	ad.u.ipc_id = shp->shm_perm.key;
5364 
5365 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5366 			    SHM__ASSOCIATE, &ad);
5367 }
5368 
5369 /* Note, at this point, shp is locked down */
5370 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5371 {
5372 	int perms;
5373 	int err;
5374 
5375 	switch (cmd) {
5376 	case IPC_INFO:
5377 	case SHM_INFO:
5378 		/* No specific object, just general system-wide information. */
5379 		return task_has_system(current, SYSTEM__IPC_INFO);
5380 	case IPC_STAT:
5381 	case SHM_STAT:
5382 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5383 		break;
5384 	case IPC_SET:
5385 		perms = SHM__SETATTR;
5386 		break;
5387 	case SHM_LOCK:
5388 	case SHM_UNLOCK:
5389 		perms = SHM__LOCK;
5390 		break;
5391 	case IPC_RMID:
5392 		perms = SHM__DESTROY;
5393 		break;
5394 	default:
5395 		return 0;
5396 	}
5397 
5398 	err = ipc_has_perm(&shp->shm_perm, perms);
5399 	return err;
5400 }
5401 
5402 static int selinux_shm_shmat(struct shmid_kernel *shp,
5403 			     char __user *shmaddr, int shmflg)
5404 {
5405 	u32 perms;
5406 
5407 	if (shmflg & SHM_RDONLY)
5408 		perms = SHM__READ;
5409 	else
5410 		perms = SHM__READ | SHM__WRITE;
5411 
5412 	return ipc_has_perm(&shp->shm_perm, perms);
5413 }
5414 
5415 /* Semaphore security operations */
5416 static int selinux_sem_alloc_security(struct sem_array *sma)
5417 {
5418 	struct ipc_security_struct *isec;
5419 	struct common_audit_data ad;
5420 	u32 sid = current_sid();
5421 	int rc;
5422 
5423 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5424 	if (rc)
5425 		return rc;
5426 
5427 	isec = sma->sem_perm.security;
5428 
5429 	ad.type = LSM_AUDIT_DATA_IPC;
5430 	ad.u.ipc_id = sma->sem_perm.key;
5431 
5432 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5433 			  SEM__CREATE, &ad);
5434 	if (rc) {
5435 		ipc_free_security(&sma->sem_perm);
5436 		return rc;
5437 	}
5438 	return 0;
5439 }
5440 
5441 static void selinux_sem_free_security(struct sem_array *sma)
5442 {
5443 	ipc_free_security(&sma->sem_perm);
5444 }
5445 
5446 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5447 {
5448 	struct ipc_security_struct *isec;
5449 	struct common_audit_data ad;
5450 	u32 sid = current_sid();
5451 
5452 	isec = sma->sem_perm.security;
5453 
5454 	ad.type = LSM_AUDIT_DATA_IPC;
5455 	ad.u.ipc_id = sma->sem_perm.key;
5456 
5457 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5458 			    SEM__ASSOCIATE, &ad);
5459 }
5460 
5461 /* Note, at this point, sma is locked down */
5462 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5463 {
5464 	int err;
5465 	u32 perms;
5466 
5467 	switch (cmd) {
5468 	case IPC_INFO:
5469 	case SEM_INFO:
5470 		/* No specific object, just general system-wide information. */
5471 		return task_has_system(current, SYSTEM__IPC_INFO);
5472 	case GETPID:
5473 	case GETNCNT:
5474 	case GETZCNT:
5475 		perms = SEM__GETATTR;
5476 		break;
5477 	case GETVAL:
5478 	case GETALL:
5479 		perms = SEM__READ;
5480 		break;
5481 	case SETVAL:
5482 	case SETALL:
5483 		perms = SEM__WRITE;
5484 		break;
5485 	case IPC_RMID:
5486 		perms = SEM__DESTROY;
5487 		break;
5488 	case IPC_SET:
5489 		perms = SEM__SETATTR;
5490 		break;
5491 	case IPC_STAT:
5492 	case SEM_STAT:
5493 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5494 		break;
5495 	default:
5496 		return 0;
5497 	}
5498 
5499 	err = ipc_has_perm(&sma->sem_perm, perms);
5500 	return err;
5501 }
5502 
5503 static int selinux_sem_semop(struct sem_array *sma,
5504 			     struct sembuf *sops, unsigned nsops, int alter)
5505 {
5506 	u32 perms;
5507 
5508 	if (alter)
5509 		perms = SEM__READ | SEM__WRITE;
5510 	else
5511 		perms = SEM__READ;
5512 
5513 	return ipc_has_perm(&sma->sem_perm, perms);
5514 }
5515 
5516 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5517 {
5518 	u32 av = 0;
5519 
5520 	av = 0;
5521 	if (flag & S_IRUGO)
5522 		av |= IPC__UNIX_READ;
5523 	if (flag & S_IWUGO)
5524 		av |= IPC__UNIX_WRITE;
5525 
5526 	if (av == 0)
5527 		return 0;
5528 
5529 	return ipc_has_perm(ipcp, av);
5530 }
5531 
5532 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5533 {
5534 	struct ipc_security_struct *isec = ipcp->security;
5535 	*secid = isec->sid;
5536 }
5537 
5538 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5539 {
5540 	if (inode)
5541 		inode_doinit_with_dentry(inode, dentry);
5542 }
5543 
5544 static int selinux_getprocattr(struct task_struct *p,
5545 			       char *name, char **value)
5546 {
5547 	const struct task_security_struct *__tsec;
5548 	u32 sid;
5549 	int error;
5550 	unsigned len;
5551 
5552 	if (current != p) {
5553 		error = current_has_perm(p, PROCESS__GETATTR);
5554 		if (error)
5555 			return error;
5556 	}
5557 
5558 	rcu_read_lock();
5559 	__tsec = __task_cred(p)->security;
5560 
5561 	if (!strcmp(name, "current"))
5562 		sid = __tsec->sid;
5563 	else if (!strcmp(name, "prev"))
5564 		sid = __tsec->osid;
5565 	else if (!strcmp(name, "exec"))
5566 		sid = __tsec->exec_sid;
5567 	else if (!strcmp(name, "fscreate"))
5568 		sid = __tsec->create_sid;
5569 	else if (!strcmp(name, "keycreate"))
5570 		sid = __tsec->keycreate_sid;
5571 	else if (!strcmp(name, "sockcreate"))
5572 		sid = __tsec->sockcreate_sid;
5573 	else
5574 		goto invalid;
5575 	rcu_read_unlock();
5576 
5577 	if (!sid)
5578 		return 0;
5579 
5580 	error = security_sid_to_context(sid, value, &len);
5581 	if (error)
5582 		return error;
5583 	return len;
5584 
5585 invalid:
5586 	rcu_read_unlock();
5587 	return -EINVAL;
5588 }
5589 
5590 static int selinux_setprocattr(struct task_struct *p,
5591 			       char *name, void *value, size_t size)
5592 {
5593 	struct task_security_struct *tsec;
5594 	struct task_struct *tracer;
5595 	struct cred *new;
5596 	u32 sid = 0, ptsid;
5597 	int error;
5598 	char *str = value;
5599 
5600 	if (current != p) {
5601 		/* SELinux only allows a process to change its own
5602 		   security attributes. */
5603 		return -EACCES;
5604 	}
5605 
5606 	/*
5607 	 * Basic control over ability to set these attributes at all.
5608 	 * current == p, but we'll pass them separately in case the
5609 	 * above restriction is ever removed.
5610 	 */
5611 	if (!strcmp(name, "exec"))
5612 		error = current_has_perm(p, PROCESS__SETEXEC);
5613 	else if (!strcmp(name, "fscreate"))
5614 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5615 	else if (!strcmp(name, "keycreate"))
5616 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5617 	else if (!strcmp(name, "sockcreate"))
5618 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5619 	else if (!strcmp(name, "current"))
5620 		error = current_has_perm(p, PROCESS__SETCURRENT);
5621 	else
5622 		error = -EINVAL;
5623 	if (error)
5624 		return error;
5625 
5626 	/* Obtain a SID for the context, if one was specified. */
5627 	if (size && str[1] && str[1] != '\n') {
5628 		if (str[size-1] == '\n') {
5629 			str[size-1] = 0;
5630 			size--;
5631 		}
5632 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5633 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5634 			if (!capable(CAP_MAC_ADMIN)) {
5635 				struct audit_buffer *ab;
5636 				size_t audit_size;
5637 
5638 				/* We strip a nul only if it is at the end, otherwise the
5639 				 * context contains a nul and we should audit that */
5640 				if (str[size - 1] == '\0')
5641 					audit_size = size - 1;
5642 				else
5643 					audit_size = size;
5644 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5645 				audit_log_format(ab, "op=fscreate invalid_context=");
5646 				audit_log_n_untrustedstring(ab, value, audit_size);
5647 				audit_log_end(ab);
5648 
5649 				return error;
5650 			}
5651 			error = security_context_to_sid_force(value, size,
5652 							      &sid);
5653 		}
5654 		if (error)
5655 			return error;
5656 	}
5657 
5658 	new = prepare_creds();
5659 	if (!new)
5660 		return -ENOMEM;
5661 
5662 	/* Permission checking based on the specified context is
5663 	   performed during the actual operation (execve,
5664 	   open/mkdir/...), when we know the full context of the
5665 	   operation.  See selinux_bprm_set_creds for the execve
5666 	   checks and may_create for the file creation checks. The
5667 	   operation will then fail if the context is not permitted. */
5668 	tsec = new->security;
5669 	if (!strcmp(name, "exec")) {
5670 		tsec->exec_sid = sid;
5671 	} else if (!strcmp(name, "fscreate")) {
5672 		tsec->create_sid = sid;
5673 	} else if (!strcmp(name, "keycreate")) {
5674 		error = may_create_key(sid, p);
5675 		if (error)
5676 			goto abort_change;
5677 		tsec->keycreate_sid = sid;
5678 	} else if (!strcmp(name, "sockcreate")) {
5679 		tsec->sockcreate_sid = sid;
5680 	} else if (!strcmp(name, "current")) {
5681 		error = -EINVAL;
5682 		if (sid == 0)
5683 			goto abort_change;
5684 
5685 		/* Only allow single threaded processes to change context */
5686 		error = -EPERM;
5687 		if (!current_is_single_threaded()) {
5688 			error = security_bounded_transition(tsec->sid, sid);
5689 			if (error)
5690 				goto abort_change;
5691 		}
5692 
5693 		/* Check permissions for the transition. */
5694 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5695 				     PROCESS__DYNTRANSITION, NULL);
5696 		if (error)
5697 			goto abort_change;
5698 
5699 		/* Check for ptracing, and update the task SID if ok.
5700 		   Otherwise, leave SID unchanged and fail. */
5701 		ptsid = 0;
5702 		rcu_read_lock();
5703 		tracer = ptrace_parent(p);
5704 		if (tracer)
5705 			ptsid = task_sid(tracer);
5706 		rcu_read_unlock();
5707 
5708 		if (tracer) {
5709 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5710 					     PROCESS__PTRACE, NULL);
5711 			if (error)
5712 				goto abort_change;
5713 		}
5714 
5715 		tsec->sid = sid;
5716 	} else {
5717 		error = -EINVAL;
5718 		goto abort_change;
5719 	}
5720 
5721 	commit_creds(new);
5722 	return size;
5723 
5724 abort_change:
5725 	abort_creds(new);
5726 	return error;
5727 }
5728 
5729 static int selinux_ismaclabel(const char *name)
5730 {
5731 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5732 }
5733 
5734 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5735 {
5736 	return security_sid_to_context(secid, secdata, seclen);
5737 }
5738 
5739 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5740 {
5741 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5742 }
5743 
5744 static void selinux_release_secctx(char *secdata, u32 seclen)
5745 {
5746 	kfree(secdata);
5747 }
5748 
5749 /*
5750  *	called with inode->i_mutex locked
5751  */
5752 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5753 {
5754 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5755 }
5756 
5757 /*
5758  *	called with inode->i_mutex locked
5759  */
5760 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5761 {
5762 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5763 }
5764 
5765 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5766 {
5767 	int len = 0;
5768 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5769 						ctx, true);
5770 	if (len < 0)
5771 		return len;
5772 	*ctxlen = len;
5773 	return 0;
5774 }
5775 #ifdef CONFIG_KEYS
5776 
5777 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5778 			     unsigned long flags)
5779 {
5780 	const struct task_security_struct *tsec;
5781 	struct key_security_struct *ksec;
5782 
5783 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5784 	if (!ksec)
5785 		return -ENOMEM;
5786 
5787 	tsec = cred->security;
5788 	if (tsec->keycreate_sid)
5789 		ksec->sid = tsec->keycreate_sid;
5790 	else
5791 		ksec->sid = tsec->sid;
5792 
5793 	k->security = ksec;
5794 	return 0;
5795 }
5796 
5797 static void selinux_key_free(struct key *k)
5798 {
5799 	struct key_security_struct *ksec = k->security;
5800 
5801 	k->security = NULL;
5802 	kfree(ksec);
5803 }
5804 
5805 static int selinux_key_permission(key_ref_t key_ref,
5806 				  const struct cred *cred,
5807 				  unsigned perm)
5808 {
5809 	struct key *key;
5810 	struct key_security_struct *ksec;
5811 	u32 sid;
5812 
5813 	/* if no specific permissions are requested, we skip the
5814 	   permission check. No serious, additional covert channels
5815 	   appear to be created. */
5816 	if (perm == 0)
5817 		return 0;
5818 
5819 	sid = cred_sid(cred);
5820 
5821 	key = key_ref_to_ptr(key_ref);
5822 	ksec = key->security;
5823 
5824 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5825 }
5826 
5827 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5828 {
5829 	struct key_security_struct *ksec = key->security;
5830 	char *context = NULL;
5831 	unsigned len;
5832 	int rc;
5833 
5834 	rc = security_sid_to_context(ksec->sid, &context, &len);
5835 	if (!rc)
5836 		rc = len;
5837 	*_buffer = context;
5838 	return rc;
5839 }
5840 
5841 #endif
5842 
5843 static struct security_operations selinux_ops = {
5844 	.name =				"selinux",
5845 
5846 	.binder_set_context_mgr =	selinux_binder_set_context_mgr,
5847 	.binder_transaction =		selinux_binder_transaction,
5848 	.binder_transfer_binder =	selinux_binder_transfer_binder,
5849 	.binder_transfer_file =		selinux_binder_transfer_file,
5850 
5851 	.ptrace_access_check =		selinux_ptrace_access_check,
5852 	.ptrace_traceme =		selinux_ptrace_traceme,
5853 	.capget =			selinux_capget,
5854 	.capset =			selinux_capset,
5855 	.capable =			selinux_capable,
5856 	.quotactl =			selinux_quotactl,
5857 	.quota_on =			selinux_quota_on,
5858 	.syslog =			selinux_syslog,
5859 	.vm_enough_memory =		selinux_vm_enough_memory,
5860 
5861 	.netlink_send =			selinux_netlink_send,
5862 
5863 	.bprm_set_creds =		selinux_bprm_set_creds,
5864 	.bprm_committing_creds =	selinux_bprm_committing_creds,
5865 	.bprm_committed_creds =		selinux_bprm_committed_creds,
5866 	.bprm_secureexec =		selinux_bprm_secureexec,
5867 
5868 	.sb_alloc_security =		selinux_sb_alloc_security,
5869 	.sb_free_security =		selinux_sb_free_security,
5870 	.sb_copy_data =			selinux_sb_copy_data,
5871 	.sb_remount =			selinux_sb_remount,
5872 	.sb_kern_mount =		selinux_sb_kern_mount,
5873 	.sb_show_options =		selinux_sb_show_options,
5874 	.sb_statfs =			selinux_sb_statfs,
5875 	.sb_mount =			selinux_mount,
5876 	.sb_umount =			selinux_umount,
5877 	.sb_set_mnt_opts =		selinux_set_mnt_opts,
5878 	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
5879 	.sb_parse_opts_str = 		selinux_parse_opts_str,
5880 
5881 	.dentry_init_security =		selinux_dentry_init_security,
5882 
5883 	.inode_alloc_security =		selinux_inode_alloc_security,
5884 	.inode_free_security =		selinux_inode_free_security,
5885 	.inode_init_security =		selinux_inode_init_security,
5886 	.inode_create =			selinux_inode_create,
5887 	.inode_link =			selinux_inode_link,
5888 	.inode_unlink =			selinux_inode_unlink,
5889 	.inode_symlink =		selinux_inode_symlink,
5890 	.inode_mkdir =			selinux_inode_mkdir,
5891 	.inode_rmdir =			selinux_inode_rmdir,
5892 	.inode_mknod =			selinux_inode_mknod,
5893 	.inode_rename =			selinux_inode_rename,
5894 	.inode_readlink =		selinux_inode_readlink,
5895 	.inode_follow_link =		selinux_inode_follow_link,
5896 	.inode_permission =		selinux_inode_permission,
5897 	.inode_setattr =		selinux_inode_setattr,
5898 	.inode_getattr =		selinux_inode_getattr,
5899 	.inode_setxattr =		selinux_inode_setxattr,
5900 	.inode_post_setxattr =		selinux_inode_post_setxattr,
5901 	.inode_getxattr =		selinux_inode_getxattr,
5902 	.inode_listxattr =		selinux_inode_listxattr,
5903 	.inode_removexattr =		selinux_inode_removexattr,
5904 	.inode_getsecurity =		selinux_inode_getsecurity,
5905 	.inode_setsecurity =		selinux_inode_setsecurity,
5906 	.inode_listsecurity =		selinux_inode_listsecurity,
5907 	.inode_getsecid =		selinux_inode_getsecid,
5908 
5909 	.file_permission =		selinux_file_permission,
5910 	.file_alloc_security =		selinux_file_alloc_security,
5911 	.file_free_security =		selinux_file_free_security,
5912 	.file_ioctl =			selinux_file_ioctl,
5913 	.mmap_file =			selinux_mmap_file,
5914 	.mmap_addr =			selinux_mmap_addr,
5915 	.file_mprotect =		selinux_file_mprotect,
5916 	.file_lock =			selinux_file_lock,
5917 	.file_fcntl =			selinux_file_fcntl,
5918 	.file_set_fowner =		selinux_file_set_fowner,
5919 	.file_send_sigiotask =		selinux_file_send_sigiotask,
5920 	.file_receive =			selinux_file_receive,
5921 
5922 	.file_open =			selinux_file_open,
5923 
5924 	.task_create =			selinux_task_create,
5925 	.cred_alloc_blank =		selinux_cred_alloc_blank,
5926 	.cred_free =			selinux_cred_free,
5927 	.cred_prepare =			selinux_cred_prepare,
5928 	.cred_transfer =		selinux_cred_transfer,
5929 	.kernel_act_as =		selinux_kernel_act_as,
5930 	.kernel_create_files_as =	selinux_kernel_create_files_as,
5931 	.kernel_module_request =	selinux_kernel_module_request,
5932 	.task_setpgid =			selinux_task_setpgid,
5933 	.task_getpgid =			selinux_task_getpgid,
5934 	.task_getsid =			selinux_task_getsid,
5935 	.task_getsecid =		selinux_task_getsecid,
5936 	.task_setnice =			selinux_task_setnice,
5937 	.task_setioprio =		selinux_task_setioprio,
5938 	.task_getioprio =		selinux_task_getioprio,
5939 	.task_setrlimit =		selinux_task_setrlimit,
5940 	.task_setscheduler =		selinux_task_setscheduler,
5941 	.task_getscheduler =		selinux_task_getscheduler,
5942 	.task_movememory =		selinux_task_movememory,
5943 	.task_kill =			selinux_task_kill,
5944 	.task_wait =			selinux_task_wait,
5945 	.task_to_inode =		selinux_task_to_inode,
5946 
5947 	.ipc_permission =		selinux_ipc_permission,
5948 	.ipc_getsecid =			selinux_ipc_getsecid,
5949 
5950 	.msg_msg_alloc_security =	selinux_msg_msg_alloc_security,
5951 	.msg_msg_free_security =	selinux_msg_msg_free_security,
5952 
5953 	.msg_queue_alloc_security =	selinux_msg_queue_alloc_security,
5954 	.msg_queue_free_security =	selinux_msg_queue_free_security,
5955 	.msg_queue_associate =		selinux_msg_queue_associate,
5956 	.msg_queue_msgctl =		selinux_msg_queue_msgctl,
5957 	.msg_queue_msgsnd =		selinux_msg_queue_msgsnd,
5958 	.msg_queue_msgrcv =		selinux_msg_queue_msgrcv,
5959 
5960 	.shm_alloc_security =		selinux_shm_alloc_security,
5961 	.shm_free_security =		selinux_shm_free_security,
5962 	.shm_associate =		selinux_shm_associate,
5963 	.shm_shmctl =			selinux_shm_shmctl,
5964 	.shm_shmat =			selinux_shm_shmat,
5965 
5966 	.sem_alloc_security =		selinux_sem_alloc_security,
5967 	.sem_free_security =		selinux_sem_free_security,
5968 	.sem_associate =		selinux_sem_associate,
5969 	.sem_semctl =			selinux_sem_semctl,
5970 	.sem_semop =			selinux_sem_semop,
5971 
5972 	.d_instantiate =		selinux_d_instantiate,
5973 
5974 	.getprocattr =			selinux_getprocattr,
5975 	.setprocattr =			selinux_setprocattr,
5976 
5977 	.ismaclabel =			selinux_ismaclabel,
5978 	.secid_to_secctx =		selinux_secid_to_secctx,
5979 	.secctx_to_secid =		selinux_secctx_to_secid,
5980 	.release_secctx =		selinux_release_secctx,
5981 	.inode_notifysecctx =		selinux_inode_notifysecctx,
5982 	.inode_setsecctx =		selinux_inode_setsecctx,
5983 	.inode_getsecctx =		selinux_inode_getsecctx,
5984 
5985 	.unix_stream_connect =		selinux_socket_unix_stream_connect,
5986 	.unix_may_send =		selinux_socket_unix_may_send,
5987 
5988 	.socket_create =		selinux_socket_create,
5989 	.socket_post_create =		selinux_socket_post_create,
5990 	.socket_bind =			selinux_socket_bind,
5991 	.socket_connect =		selinux_socket_connect,
5992 	.socket_listen =		selinux_socket_listen,
5993 	.socket_accept =		selinux_socket_accept,
5994 	.socket_sendmsg =		selinux_socket_sendmsg,
5995 	.socket_recvmsg =		selinux_socket_recvmsg,
5996 	.socket_getsockname =		selinux_socket_getsockname,
5997 	.socket_getpeername =		selinux_socket_getpeername,
5998 	.socket_getsockopt =		selinux_socket_getsockopt,
5999 	.socket_setsockopt =		selinux_socket_setsockopt,
6000 	.socket_shutdown =		selinux_socket_shutdown,
6001 	.socket_sock_rcv_skb =		selinux_socket_sock_rcv_skb,
6002 	.socket_getpeersec_stream =	selinux_socket_getpeersec_stream,
6003 	.socket_getpeersec_dgram =	selinux_socket_getpeersec_dgram,
6004 	.sk_alloc_security =		selinux_sk_alloc_security,
6005 	.sk_free_security =		selinux_sk_free_security,
6006 	.sk_clone_security =		selinux_sk_clone_security,
6007 	.sk_getsecid =			selinux_sk_getsecid,
6008 	.sock_graft =			selinux_sock_graft,
6009 	.inet_conn_request =		selinux_inet_conn_request,
6010 	.inet_csk_clone =		selinux_inet_csk_clone,
6011 	.inet_conn_established =	selinux_inet_conn_established,
6012 	.secmark_relabel_packet =	selinux_secmark_relabel_packet,
6013 	.secmark_refcount_inc =		selinux_secmark_refcount_inc,
6014 	.secmark_refcount_dec =		selinux_secmark_refcount_dec,
6015 	.req_classify_flow =		selinux_req_classify_flow,
6016 	.tun_dev_alloc_security =	selinux_tun_dev_alloc_security,
6017 	.tun_dev_free_security =	selinux_tun_dev_free_security,
6018 	.tun_dev_create =		selinux_tun_dev_create,
6019 	.tun_dev_attach_queue =		selinux_tun_dev_attach_queue,
6020 	.tun_dev_attach =		selinux_tun_dev_attach,
6021 	.tun_dev_open =			selinux_tun_dev_open,
6022 
6023 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6024 	.xfrm_policy_alloc_security =	selinux_xfrm_policy_alloc,
6025 	.xfrm_policy_clone_security =	selinux_xfrm_policy_clone,
6026 	.xfrm_policy_free_security =	selinux_xfrm_policy_free,
6027 	.xfrm_policy_delete_security =	selinux_xfrm_policy_delete,
6028 	.xfrm_state_alloc =		selinux_xfrm_state_alloc,
6029 	.xfrm_state_alloc_acquire =	selinux_xfrm_state_alloc_acquire,
6030 	.xfrm_state_free_security =	selinux_xfrm_state_free,
6031 	.xfrm_state_delete_security =	selinux_xfrm_state_delete,
6032 	.xfrm_policy_lookup =		selinux_xfrm_policy_lookup,
6033 	.xfrm_state_pol_flow_match =	selinux_xfrm_state_pol_flow_match,
6034 	.xfrm_decode_session =		selinux_xfrm_decode_session,
6035 #endif
6036 
6037 #ifdef CONFIG_KEYS
6038 	.key_alloc =			selinux_key_alloc,
6039 	.key_free =			selinux_key_free,
6040 	.key_permission =		selinux_key_permission,
6041 	.key_getsecurity =		selinux_key_getsecurity,
6042 #endif
6043 
6044 #ifdef CONFIG_AUDIT
6045 	.audit_rule_init =		selinux_audit_rule_init,
6046 	.audit_rule_known =		selinux_audit_rule_known,
6047 	.audit_rule_match =		selinux_audit_rule_match,
6048 	.audit_rule_free =		selinux_audit_rule_free,
6049 #endif
6050 };
6051 
6052 static __init int selinux_init(void)
6053 {
6054 	if (!security_module_enable(&selinux_ops)) {
6055 		selinux_enabled = 0;
6056 		return 0;
6057 	}
6058 
6059 	if (!selinux_enabled) {
6060 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6061 		return 0;
6062 	}
6063 
6064 	printk(KERN_INFO "SELinux:  Initializing.\n");
6065 
6066 	/* Set the security state for the initial task. */
6067 	cred_init_security();
6068 
6069 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6070 
6071 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6072 					    sizeof(struct inode_security_struct),
6073 					    0, SLAB_PANIC, NULL);
6074 	avc_init();
6075 
6076 	if (register_security(&selinux_ops))
6077 		panic("SELinux: Unable to register with kernel.\n");
6078 
6079 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6080 		panic("SELinux: Unable to register AVC netcache callback\n");
6081 
6082 	if (selinux_enforcing)
6083 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6084 	else
6085 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6086 
6087 	return 0;
6088 }
6089 
6090 static void delayed_superblock_init(struct super_block *sb, void *unused)
6091 {
6092 	superblock_doinit(sb, NULL);
6093 }
6094 
6095 void selinux_complete_init(void)
6096 {
6097 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6098 
6099 	/* Set up any superblocks initialized prior to the policy load. */
6100 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6101 	iterate_supers(delayed_superblock_init, NULL);
6102 }
6103 
6104 /* SELinux requires early initialization in order to label
6105    all processes and objects when they are created. */
6106 security_initcall(selinux_init);
6107 
6108 #if defined(CONFIG_NETFILTER)
6109 
6110 static struct nf_hook_ops selinux_nf_ops[] = {
6111 	{
6112 		.hook =		selinux_ipv4_postroute,
6113 		.owner =	THIS_MODULE,
6114 		.pf =		NFPROTO_IPV4,
6115 		.hooknum =	NF_INET_POST_ROUTING,
6116 		.priority =	NF_IP_PRI_SELINUX_LAST,
6117 	},
6118 	{
6119 		.hook =		selinux_ipv4_forward,
6120 		.owner =	THIS_MODULE,
6121 		.pf =		NFPROTO_IPV4,
6122 		.hooknum =	NF_INET_FORWARD,
6123 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6124 	},
6125 	{
6126 		.hook =		selinux_ipv4_output,
6127 		.owner =	THIS_MODULE,
6128 		.pf =		NFPROTO_IPV4,
6129 		.hooknum =	NF_INET_LOCAL_OUT,
6130 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6131 	},
6132 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6133 	{
6134 		.hook =		selinux_ipv6_postroute,
6135 		.owner =	THIS_MODULE,
6136 		.pf =		NFPROTO_IPV6,
6137 		.hooknum =	NF_INET_POST_ROUTING,
6138 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6139 	},
6140 	{
6141 		.hook =		selinux_ipv6_forward,
6142 		.owner =	THIS_MODULE,
6143 		.pf =		NFPROTO_IPV6,
6144 		.hooknum =	NF_INET_FORWARD,
6145 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6146 	},
6147 #endif	/* IPV6 */
6148 };
6149 
6150 static int __init selinux_nf_ip_init(void)
6151 {
6152 	int err;
6153 
6154 	if (!selinux_enabled)
6155 		return 0;
6156 
6157 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6158 
6159 	err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6160 	if (err)
6161 		panic("SELinux: nf_register_hooks: error %d\n", err);
6162 
6163 	return 0;
6164 }
6165 
6166 __initcall(selinux_nf_ip_init);
6167 
6168 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6169 static void selinux_nf_ip_exit(void)
6170 {
6171 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6172 
6173 	nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6174 }
6175 #endif
6176 
6177 #else /* CONFIG_NETFILTER */
6178 
6179 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6180 #define selinux_nf_ip_exit()
6181 #endif
6182 
6183 #endif /* CONFIG_NETFILTER */
6184 
6185 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6186 static int selinux_disabled;
6187 
6188 int selinux_disable(void)
6189 {
6190 	if (ss_initialized) {
6191 		/* Not permitted after initial policy load. */
6192 		return -EINVAL;
6193 	}
6194 
6195 	if (selinux_disabled) {
6196 		/* Only do this once. */
6197 		return -EINVAL;
6198 	}
6199 
6200 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6201 
6202 	selinux_disabled = 1;
6203 	selinux_enabled = 0;
6204 
6205 	reset_security_ops();
6206 
6207 	/* Try to destroy the avc node cache */
6208 	avc_disable();
6209 
6210 	/* Unregister netfilter hooks. */
6211 	selinux_nf_ip_exit();
6212 
6213 	/* Unregister selinuxfs. */
6214 	exit_sel_fs();
6215 
6216 	return 0;
6217 }
6218 #endif
6219